I don't see why the security question answer has to be stored in the clear. If you have to give it over the phone, the agent can type it into a form field that hashes it and compares, just like a password on the site.
Because security question answer have high variability for the average user. They're asked say, what street they grew up on. Is it "S. Main St." "South Main", "south main", "south main street", etc...
Security questions in general are terrible so don't take this as if it's in defense of them.
My favorite are the presumptive ones that assume something like "Where did you meet your spouse?"
Someone should just go over the top: "Who was the editor of your first successful novel?" "What investment did you make your first billion with?"
There's viral social media posts that do security answer farming with prompts like
"Your superhero name is the name of your pet + favorite teachers name"
You'd click on the comments and there's tens of thousands of people volunteering answers. Some are of part of the hustle to till the honeypot, but I'd see people I know comment on them with real information. It's wild
For some of us, finding our mother's maiden name is as simple as looking at our name, either because it is a hyphenated name or because there was a time when the government refused to acknowledge the existence of the father in certain cases.
It is very hard to come up with universally good security questions.
You add let's say, up to 3 peoples names and mobile numbers for recovery and then they are contacted requesting to reach out to you to authenticate.
Something like
"You've been added to X's web of trust for account recovery at example.com. If X needs to recover their account, we may ask you to confirm with them that it's genuine."
Then something like
"X is trying to recover their account for example.com. Please contact them within the next Y days to confirm it's genuine and if it is, respond with the the 4 digit recovery code X gives you"
Then from x's side:
"Your web of trust has been contacted. Feel free to contact them now and give them the pin YYYY so they can confirm this is genuine"
This approach pretty elegantly addresses a number of security question limitations and existing 2FA infrastructures shouldn't be that hard to modify in order to implement it.
Probably my favorite feature of this approach is it requires the various security code social manipulation scams to be successful against 2 people instead of 1 which is rather statistically unfavorable for the scammer.
A lot of people don’t want their trusted web to know what websites they are looking at? Think Grinder/other dating sites, financial/crypto, pornhub, certain message boards etc.
Well don't use it for porno sites then or just give different personal email addresses for your web.
Also there's a 100+ year old workaround for that which used to be used in the postal service so people didn't have boxes on their doorstep with giant labels on it reading things like "Dildos Direct": Either leave the company name off or use some alias.
Including the company name is really just a user interface flourish to dealienate the feature
What city were you born in: “Millwaukee”. The agent would be able to tell it was Milwaukee, but if he or she typed “Milwaukee” it’d go “bzzzzt” just because the user typoed the input initially at set-up.
It's a security question to access information on the account over the phone. It's not used in the web based system, which is completely detached from the phone system.
Security questions in general are terrible so don't take this as if it's in defense of them.
My favorite are the presumptive ones that assume something like "Where did you meet your spouse?"
Someone should just go over the top: "Who was the editor of your first successful novel?" "What investment did you make your first billion with?"