Security Questions vs. Modern MFA

Can we just stop with the questions?

Bad passwords
weak passwords

Many websites still utilize security questions as a secondary authentication method during account creation or password resets. While seemingly convenient, these questions often rely on personal details easily discoverable through social media or basic online research.

This raises the question: Why prioritize security questions when more robust multi-factor authentication (MFA) options exist?

Several websites, like the one I recently encountered, offer functionalities like developer features that require additional security. However, upon completing the access request form, the site directed me to set up a security question. This seems counterintuitive, considering the website also offers more secure MFA options such as authentication apps, in-app notifications, and SMS verification.

The advantages of modern MFA over security questions include:

  • Enhanced security: Randomly generated codes or biometrics provide a significantly higher level of protection compared to predictable personal details.
  • Improved user experience: Modern MFA methods are often more convenient and user-friendly than remembering obscure answers to pre-set questions.

It's important for websites to prioritize robust MFA methods as the primary choice for account security. Security questions, while seemingly familiar, can be a vulnerability in today's digital landscape.