-1

We currently use 5 security questions but Operations team is asking us if we could lower down to 3.

With that,What is the best practice for this one? How many security questions should be asked?

schroeder
  • 129,372
  • 55
  • 299
  • 340
Joe
  • 1
  • 1
  • 6
    This is kind of a broad question as we have no idea what you're trying to secure. Different applications will have different threat models so there is no answer that will apply to everyone. An institution handling SSN's will want to ask more security questions than something like Tubmlr might for instance. – DKNUCKLES Mar 01 '17 at 14:49
  • What is this for? Part of login, forgotten password facility? What are you protecting? The industry generally is moving away from security questions - they are often easy to guess / socially engineer. Google is going through a process of asking users to remove security questions from their account. Solid password reset & 2FA are a better solution generally – iainpb Mar 01 '17 at 15:27
  • it will also depend on how private and secret the data is, "what is your mother's maiden name?" is trivial to find out, "what was your tax return in 2015?" is much more private, and you might only need that one question – schroeder Mar 01 '17 at 15:33

1 Answers1

2

If you check OWASP, there are some resources to try and help.

But their basic point (which I have heard made several times in other places, but cannot find link for) is that security questions are generally not a great approach. However, they do say

a good practice might be to require the user to select 1 or 2 questions from a set of canned questions as well as to create (a different) one of their own and then require they answer one of their selected canned questions as well as their own question

I think - but again, cannot substantiate - that being able to reset the password and have a temporary link sent to a pre-validated email address is the preferred approach.

iwaseatenbyagrue
  • 3,661
  • 1
  • 14
  • 24