Are Security Questions a Joke? Or is the way the Systems are Designed the Real Joke?

August 9, 2012
Security questions

Security questions (Photo credit: janetmck)

I read a great article the other day on the threat posed by the use of password security questions as a Computer security issue.

I too have been quite amused by the poorly designed questions which purport to help you if you forget your login information for a site.  Frank Voisin suggests a few ideas to make them more applicable.

However, the second item jarred with me – Applicable: the question should be possible to answer for as large a portion of users as possible (ideally, universal).

Why?

I would have thought that the primary (and only) function was to have something which was individual to the person involved.

Now I’m only a human factors scientist, but my training suggests that we ask the individual to design their own questions.  Sure, give them some advice and make the process as intuitive as possible, but give them the ability to make it as individual as they like – surely that‘s the whole point!  After all, this information is only kept in a secure database to be accessed as needs permit.

Is it more that the systems designer was trying to make his or her job easier?  Sort of fitting the human to the system rather than designing it to the individual’s explicit needs?  Did this save them a few lines of code?

Obviously some human science input into this area is sorely needed.  This raises the question of whether someone who is a computer scientist first and has cross-trained into the human interface is the best person for this role, or someone with a psychology or social science background.
My suggestion is that in this case, you really need some cross disciplinary interaction to arrive at an optimal solution.