I always love to see how companies adapt security questions in order to protect their customers when trying to retrieve their passwords. Some stick with the traditional:
What is your mothers maiden name?
What is the name of your favourite sports team?
But these would be quite easy to find out if you did a little hunting.
Facebook has a particular good method of verifying you if you need to reset your password. They show you a variety of photos and ask you to identify the name of those friends. Providing your friends don’t all have publicly viewable profiles, then it would be hard for a stranger to be able to guess correctly.
However, when recently trying to reset my password on a well known companies website I was asked “When did you meet your spouse?”
The problem with this as a security question is twofold. What if you don’t have a spouse? and what if you just don’t remember what you would have entered… like me.
With the number of marriages declining, and only 19.2 women per 1000 in the UK getting married in 2009*, this as a security question isn’t the best. Only a handful of users would find it a valid security question.
I had apparently filled this information in in February 2010, but I have absolutely no recollection of what I entered. Fortunately, there was an alternative authentication method.
I wonder if they had performed user testing with this question? I doubt it.
There are however good things about this question – they reminded me when I added this as a security question. This should help to jog the users memory, and there was an alternative method to verify myself.
*http://www.theguardian.com/news/datablog/2010/feb/11/marriage-rates-uk-data