Applicable: It actually applies to you and has an answer. Sites should either provide security questions that apply to a large portion of their user base or have many questions to choose from. Where you met your spouse is probably not a great question for a singles dating site.
Private: It's something that few other people know, that's not in public records or all over your blog or resume. First grade teacher is a good question for a site with an adult user base, but not great for one that caters to high-schoolers who probably all have the same answer.
Unpredictable: The answer is hard to guess. 'Favorite Color' fails this hard: one third of people have Blue as their favorite color. If you're a bank with one branch in one city then birthplace is also not ideal.
Unforgettable: You will definitely know/remember the answer. Otherwise you've defeated the purpose.
Invariant: The answer won't change even if your home, job, tastes, or even spouse changes. It happens more often than you'd think.
Unambiguous: There's only one good answer AND that answer is only typed/phrased in one way. God help you if it's case sensitive.
Allowable: The users answer is not blocked due to technical limitations (e.g. length, special characters). What state were you born in doesn't work if you have a 6 character minimum (poor buckeyes!).
It's not perfect. For example, some of the adjectives describe the questions whereas other describe ideal answers. But I think it's important to try and develop a vocabulary for talking about security questions. goodsecurityquestions.com (which I hadn't come across when I first made this blog) has done something similar, and has some great tips, but I'd like to go into a bit more detail to figure out problems with security questions.
I'm going to go back a bit and clarify some of the older posts as necessary so they have more than just numbers in the discussions.
No comments:
Post a Comment