Culturally Inclusive Security Questions
June 6, 2016 8:08 AM   Subscribe

I'm trying to come up with a list of online account security questions that are secure, memorable, and considerate of class & cultural differences

I spend a significant amount of time at my job helping low-income non-traditional students apply for educational resources online (federal financial aid, college applications, email accounts, etc.)

Many of these accounts require the student to come up with 3-4 of their own challenge questions to secure the account. In the past, we had been using a list of questions provided by the Department of Education, but we've found them to be problematic because many of the questions do not apply to the demographic that we work with (low-income, transient, refugee/English language learner, high school dropout, very limited digital literacy skills, etc. )

Below, I've included the questions we've been using and the barriers related to that question:

- What is the name of your elementary school? (student attended several schools, which school do we choose?)
- What is the nickname of your youngest sibling? (Student does not have a sibling)
- What city were you born in? (This one is usually fine, although some of our ELL students indicate the country instead of the city)
- Who was your first boss? (Student has never been employed)
- What was the name of your first pet? (Student never owned a pet)
- What was your high school mascot? (Student attended non-US high school with no mascot or student did not attend high school and received GED)
- What is the name of the hospital you were born in? (Many ELL/non-US students were not born in a hospital)
- What color was your first car? (Student never owned a car)
- What is your mother's maiden name? (This question is confusing to ELL students who come from cultures where the woman does not change her name after marriage)

At one point, we were using general questions like "What is your favorite food/color/TV show", but I don't feel comfortable using questions with potentially variable answers. We've had several students locked out of their accounts because their favorite food today is different than it was 6 months ago.

I started using general static questions like "What is your mother's last name?", but I've read that this is not a good security question because that information is relatively common knowledge or could be easily obtained.

So, long story short, I'm trying to generate a list of questions that will be relevant to most of the people with whom we work.
posted by chara to Technology (35 answers total) 7 users marked this as a favorite
Just about any pre-written security question is highly insecure; social engineering attacks can get at almost anything you would ask. Security questions are an extremely common vector for targeted attacks for precisely this reason.

Does the technology you're using allow for the users to type their own security questions and provide answers? If you must use security questions that's generally considered a best practice.
posted by Itaxpica at 8:11 AM on June 6, 2016 [18 favorites]

I think you need to specify s time period. For example, if you asked me, who was my best friend when I was ten? What was my favorite food when I was five? That's a pretty static answer.
posted by bq at 8:15 AM on June 6, 2016

"What is the name of the elementary school where you completed grade 4?"
"What is the name of the street you lived on when you were 10?"
etc -- I get these a lot, the age helps specify it

"What street did your best friend in elementary school live on?"
"Who is your oldest cousin?"
"What is your father/mother/grandparent's middle name?"
"What city did your parents meet in?"
"What city was your father/mother/grandparent born in?"

You can ask about grandparents' last names, too.
posted by jeather at 8:20 AM on June 6, 2016 [1 favorite]

What is your mother's maiden name?
"What is your mother's last name?"

This is bad because a non-trivial portion of the time it's the same as the person's last name. Not everyone not change their name when they get married (even in US culture), but not everyone's mother was married. Many people get their mother's last name. And of course, some mothers have been married multiple times and may have collected a few last names.

I think the key is A) Make it a question that only has one answer. For example, I've usually seen "first elementary school" and B) Have lots of question options rather than just making everyone use the useless and insecure "mother's maiden name." They key isn't to find questions that work for everyone but to make sure that everyone has a few secure questions to choose from.

Instruct people to choose a question that their friends probably don't know the answer to or cannot get the answer through social media. Then you just have to trust/hope they choose wisely.
posted by If only I had a penguin... at 8:23 AM on June 6, 2016 [3 favorites]

Also, if you must use static security questions, run them by a bunch of people to see if anyone can suggest trivial ways to beat them and then don't use those. For instance, "what is your mother's last name" is a terrible security question not just because the info is easy to find, but because if the user's mother did change their name after marriage there's a good chance that the user's mother's last name is the same as the user's last name, in which case an attacker has a very good chance to compromise any account just by knowing the last name of the person that they're trying to hack.
posted by Itaxpica at 8:23 AM on June 6, 2016

The key isn't to find questions that work for everyone but to make sure that everyone has a few secure questions to choose from.

Exactly. Many security questions don't apply to me but I consider it a win if at least some of them can. The ones that presume cultural/familial experiences should be the first to be pared out but some of the others are not necessarily bad. Ones I have heard, given by places that seem to be aiming for inlusivity

- grandparent's first name (specifying which side of the family)
- specific years' school (What school did you go to in third grade)
- specific address/year. (What street did you live on in third grade)

Avoid favorite anything if this is a login for something that they will keep for more than a few months as you've learned. That said, a favorite past memory is a possibility (Favorite place to go when you were ten or something). Is it possible to have a checklist and students can choose ones that are relevant to their situations? Is it possible to just offer to store these questions and answers someplace secure for students so they can access the questions AND answers somewhere else? I know it's less secure but after working with digitally divided users for a few decades (I usually deal with English as a first language older people, so differing challenges) I have personally HAD it with this process and am in favor of creative hacks that don't put the students' info at risk but still allows them to complete the process. "From now on everyone's first pet is called Banana Pudding. Let's write that down!"
posted by jessamyn at 8:38 AM on June 6, 2016 [2 favorites]

For the most common user account that we help students create (The FSA ID), 4 challenge questions are required: Two questions are pre-selected (student has to choose from this list and we can't change the questions), two can be typed in by the user directly. For the latter category, we are developing a list of questions that students can choose from in order to speed up the process and make sure they are choosing quality questions.

Because the students are usually older adults with very limited digital literacy skills, we'd prefer not to instruct them to use more advanced security question tactics like creating fake answers or using the same answer to every questions (the latter is not allowed in the system).

The biggest problem we're running into is that people are getting locked out of their own accounts because they cannot remember their account password and they cannot remember the password to the email address they used to set up the account.
posted by chara at 8:40 AM on June 6, 2016 [1 favorite]

favorite teacher

place you hope to live someday

one word to describe your (brother | sister | mother | father | self)

favorite food

favorite song

favorite plant

favorite book

I really don't like traditional demographic/identity questions because that information is part of what an identity thief would either want or have already, and it's findable. Personal preference information could change, so that's a possible weakness, but one hopes one would make a point of remembering it. Plus, if the person is creating the security question for themself, they can choose one which is memorable to them personally.
posted by amtho at 8:40 AM on June 6, 2016

Questions related to sports (favorite $SPORT team) probably have a more static answer than other "favorite" questions.
posted by R a c h e l at 8:42 AM on June 6, 2016

What was the name of your childhood imaginary friend?
What colour were your favourite childhood pjyamas?
What is the first name of the first person you kissed romantically?
Who was your biggest teenage celebrity crush?
Who was your least favourite teacher in high school?
If your first child had been a different sex, what first name did you plan to give them?
At what bank did you open your first account?
Who was the artist at the first concert you over attended?
What city would you most like to visit?
What was your first phone number as a child? (yeah, not everyone remembers this and some people may have the same number, hence the importance of choosing your question).
What is/was your maternal grandmother's birthday?
What was the first movie you saw in a movie theatre?

Questions about favourite sports team can be pretty easy to answer from social media. Also, specifying a specific sport tends to exclude many immigrants, since different countries follow/care about different sports. (Talking sports in the workplace is a thing that is known to exclude immigrants from informal networking opportunities for exactly this reason. Somehow it's never cricket or socker or rugby that are the big morning-after watercooler conversations.)
posted by If only I had a penguin... at 8:50 AM on June 6, 2016 [1 favorite]

If you have a lot of foreign students then avoid words like "elementary school' and 'grade three'. For example, I can guess what the first one is but have no idea how old you would be in grade three. Be careful about using location specific terms like these.

Instead you could ask "what is name of the first school you went to" or "who was your first teacher" or other suitably generic things about school. I like the one about birthplace, putting a country is fine if the person remembers that. I like questions about specific thing at a specific age as long as they're the questions the person writes in themself so they can tailor the age to something memorable. Like I don't remember my best friend at 10, but at age five I can come up with an answer.

Lastly, there is no reason why they can't write this stuff down somewhere if the alternative is being locked out of important things. I have a small piece of paper stashed in my desk with cryptic words on it that are passwords and password hints. Once you have the paper you also have my computer with everything logged in on it already away. And the really important stuff like my bank uses two-factor authorisation so even a passcode isn't going to get you in. I for sure write down questions for any school accounts, particularly if they make me remember four of them (which is really a lot).
posted by shelleycat at 8:59 AM on June 6, 2016 [2 favorites]

Favorite bird. Lots of people everywhere in the world have a bird they're particularly fond of and excited to spot, and unless they're active birders they probably don't talk about it on social media.
posted by Eyebrows McGee at 9:16 AM on June 6, 2016

Maternal grandmothers first name.
posted by corb at 9:22 AM on June 6, 2016 [1 favorite]

I doubt the ones about bank accounts, concerts, and movie theaters are going to apply to 100% of low-income transient students! I can see why this is a challenge.

"What is your best friend's last name" could work. They're at the age where this is fairly static for a while.

An unchanging problem like "I don't have a sibling" can be worked around. "What is the name of your youngest sibling or, if you don't have one, your youngest cousin?" Something like that. Too complex?

I agree that "name of first school" would work better than "name of elementary school."
posted by babelfish at 9:39 AM on June 6, 2016

This stuff is really hard! Even as a reasonably stable adult with a reasonably normative childhood, I still don't have a favorite sports team or bird, don't know the names of most of my grandparents much less their birthdays or birthplaces, don't have any idea what my first concert or movie was, etc.

If you have a few people in your demographic group willing to spend ten minutes giving you feedback, I wonder if your best bet might not be to sit down with a couple of them for a little informal interview about what kinds of things you COULD ask along these lines, make a big long list, and then sit down with a couple more people to review your list and give you feedback on which they think most people like them could answer.

(And, definitely, having a long list of questions to choose from is great. It makes me crazy when I have a list of questions to choose from but they're all about kids (don't have them), cars (don't drive), and grandparents (don't know much about them). But given a sufficiently long list there's probably something that will apply to me.)
posted by Stacey at 9:48 AM on June 6, 2016 [4 favorites]

I doubt the ones about bank accounts, concerts, and movie theaters are going to apply to 100% of low-income transient students! I can see why this is a challenge.

Nothing will work for 100% of any population. The point isn't to find magic questions that are universally applicable but to have lots of potentially applicable questions so that everyone can find something that is applicable. Remember that people get to pick/write/customize their own questions. Which makes me realize that favourite $sport team actually works more than I would have guessed, since students can fill in any sport they want, rather than the agency asking "Favourite baseball team" or whatever.

What colour do you dye your hair? (people who habitually dye their hair the same colour often know the colour name or number).
What colour is the tile on the bathroom floor of the bathroom you use at night? (no bathroom pics likely on social media, though visitors might know)
What is your most treasured family heirloom?
To whom did your most treasured family heirloom originally belong?
What was the first city you landed in in the US?
From what city did you last depart the first time you came to the US?
Thinking of the first apartment you remember living in, what floor was it on?
posted by If only I had a penguin... at 10:02 AM on June 6, 2016 [1 favorite]

Some of these potential questions seem very insecure to me. Anything where the answer is a color? You probably have something like a 1/4 chance of guessing that right on the first try. Favorite sports team? Oh, you live in Kansas City? Could it possibly be the Chiefs?

The one security question that ever stumped me when managing my boyfriend's accounts was "What was the name of the street that your childhood best friend lived on?" Seems fairly inclusive too.
posted by phoenixy at 10:27 AM on June 6, 2016

I'm not sure how to do it programmatically, without a human involved, but the ISOPREP card I filled out did this a way I haven't seen before. For the challenge question portion, the questions weren't pre-written, but you didn't get to write the question either.

The procedure is, you tell me a little story about yourself nobody else would be able to guess or easily look up. Include enough detail to generate several different questions.

Example: My first job was at Jack in the Box as a night manager in San Jose. My least favorite part of that was when the owner, Simon, made me take the cash to the bank.

Now the asker can ask a series of questions from that same set of facts, and presumably I won't forget them. What was your first job? What city was your first job in? Where did you work for Simon? Who was your boss in your first job? etc.

I guess even if you can't make the software do this, you could teach people how to come up with good memorable security questions.
posted by ctmf at 10:58 AM on June 6, 2016

Maybe point out that the answers can be any response; my mother's maiden name could be "fuschia octopus" for all it actually matters. The key, as ctmf notes, is for the responses to be memorable.
posted by Schielisque at 11:21 AM on June 6, 2016 [1 favorite]

Where were you born? (People can interpret however they want which makes it better)

What was your favorite candy as a child?

What is one thing you miss most about your home country /hometown?

What is the first name of the person who took care if you the most as a child?

What is the language your parents speak?

What is the Capital City of your home country/State you were born in?

How old were you when you first saw a dentist?
posted by AlexiaSky at 11:22 AM on June 6, 2016

Questions about "your mother's/father's side of the family" may exclude people who were raised in non-traditional family arrangements.
posted by matildaben at 11:24 AM on June 6, 2016

I help people apply for public benefits and of the security questions asked on that application, here are the ones that people choose most often. (sample size is pretty large and pretty diverse):

What is your favorite holiday?

What is your favorite vacation destination? (this can be a place they've been or the ideal place they would like to go)

What is your favorite breakfast food?

What is the name of your favorite pet?

What is your favorite sports team?

What was the first name of your best friend when you were growing up?
posted by tivalasvegas at 12:53 PM on June 6, 2016

From a security standpoint, be wary of any questions where the answers are not likely to be evenly distributed among a wide range of possibilities. Your favorite color might be fuchsia or perriwinkle, but most people will be putting some variant of red, green, blue, purple or yellow. Sports teams are highly correlated with the area the person is from, so guessing the 49ers for someone living in the Bay Area isn't much of a stretch. Favorite holidays will likely tend to congregate around Christmas, New Year's, Easter and Thanksgiving. You get the idea.
posted by Aleyn at 2:52 PM on June 6, 2016 [1 favorite]

I'm so glad you're doing this. I'm not a particularly unusual American, but I've still run into two or three sets of questions that I couldn't answer satisfactorily AT ALL (and made-up answers are particularly hard to answer). I didn't attend a high school (which eliminates a ton of questions), have no favorite sports teams, had two first pets, was conceived in and brought home to one town in one county but technically born in the town and county next door, lived in multiple states as a child, etc.


In what city did your parents meet?
Where did you go on your favorite vacation?
What street did you live on as a child? (Personally, I lived on several, but one stands out and I use it. Or you could use "What street did your family live on when you were a baby?")
What do you consider to be your hometown?
What was your favorite toy when you were a baby/five years old/ten years old?
What food do you like to eat when you are sick?
Who is your favorite athlete? (or Who was your favorite athlete when you were a child?)
What was your dream job when you were a child?
What was your favorite cartoon character as a child?
Who was your childhood hero?

(Also, I have the same problems with my ELL students regarding accounts, even without security questions. What we really need is a 1-3 basic computer bootcamp, honestly.)
posted by wintersweet at 5:05 PM on June 6, 2016

I'd like to throw in a suggestion to make sure some of the options are not obvious to immediate family members. On the one hand, it's great to share your life history with your spouse. On the other, if your spouse at some point becomes your ex-spouse, a set of questions about where you met, where you went to school, your oldest cousin, etc. are going to make it hard to keep the ex-spouse (or estranged parent, or current live-in lover) out of your account.

At least some of the options should be personal preference rather than life-facts, to avoid the problem of anyone knowing you well being able to get into the account.

It's worth reminding people that they don't need to answer the question honestly; they just need an answer they can remember. I love the ones that have "father's middle name" as an option - I never actually use my father's middle name, but I know exactly what word I use instead, because of a longstanding family joke. (However, "father's middle name" is not good on a short list of options - not everyone has three names.)

Question possibilities:
* Favorite board game
* Favorite card game (if it's "favorite board or card game," some people are going to get confused and not remember which one they answered)
* A word that reminds you of a favorite memory
* Your favorite children's rhyme
* Your favorite nickname (or the one you wish you had)
* The first person who paid you money to do a task or chore*
* Favorite kind of art
* Favorite leisure activity

* Not everyone's had a paying job. Almost everyone has had "do this chore for $2" situations.
posted by ErisLordFreedom at 7:21 PM on June 6, 2016 [1 favorite]

Oh my gosh, thank you for doing this - as a non-driver and non-citizen, it drives me crazy that all these questions are geared towards the American experience (come on, just think of the implications of "what color was your first car"... You didn't just have one car, you had multiple cars!. What do you mean, high school mascot? You mean our patron, the famous poet? Third grade teacher? Which one, because we had several, one for each class?)

And the "your favorite XYZ" are even more confusing to me. How would I know that the answers are still valid a year from now?

Questions that worked for me were the factual ones: maternal/paternal grandmother/grandfather first name, town I was born in, town my mother/father was born in, how many cousins do I have, town I lived in when I was 20, etc.
posted by Ender's Friend at 7:27 PM on June 6, 2016 [1 favorite]

Security questions are a stupid waste of everybody's time. There is only one class of security question that doesn't actually toss real security straight out the window, and it is this:

What is the 16-character unique secret you generated for this account and safely stored three copies of?
posted by flabdablet at 11:59 PM on June 6, 2016 [1 favorite]

You're having difficulties with this because you are at cross purposes with what security questions are intended to accomplish. Ideally, they're a sort-of-useful intermediate step, which you ask of a user before you agree to email them a link to reset their password. You're dealing with them as an impediment to access, and thus an obstacle to be overcome. So, the answer here is probably not picking questions that don't require cultural context; it's to devise an approach to allow non-technically-savvy users to access things that weren't designed with them in mind.

If you're dealing with sites that allow you access to accounts based solely on the answers to these questions, then they're already compromised--you're not going to make the problem much worse by just telling them "pick the first question on the list, and answer it with your full name." If you need multiple unique answers, pick some sort of regular pattern that's easy to remember, like "your full name with no spaces, followed by a single digit (e.g. "johndoe1", "johndoe2", etc)." This is, obviously, extremely poor security protocol, but it doesn't sound like you're working with people who are likely to be the vectors of sophisticated attacks, and the cost of losing access to a federal aid program is much higher than the cost of having that identity compromised.

Password security is a wasteland. I feel your pain, and I'm usually the guy proselytizing about OnePass or other more sophisticated ways to get around the innate stupidity of modern access control. I also recognize that for most people, your two options are "do this insecure but very easy to remember thing" and "write your password down on a Post-It note and stick it to your monitor."
posted by Mayor West at 7:46 AM on June 7, 2016

Writing it down is a good idea. Putting it on display, not so much.
posted by flabdablet at 10:13 AM on June 7, 2016

The biggest problem we're running into is that people are getting locked out of their own accounts because they cannot remember their account password and they cannot remember the password to the email address they used to set up the account.

Have them write down their passwords and put them in their wallet. There's not really a good substitute for not being able to keep track of passwords. And some places will email a password reset link when the security questions are answered, so not being able to remember the email password is a problem even if they can answer the security questions.

Also, if people don't understand that the answers to the security questions have to be spelled the same way, that can be an issue. Maybe your first boss was Mr. X, or firstname lastname, or nickname. Maybe your favorite bird has more than one name.
posted by yohko at 4:14 PM on June 7, 2016

I understand that security questions as a concept are flawed and problematic; we can go on and on about the many flaws of that particular system. However, my desire is get students from point A to point B as easily as possible, so thank you to everyone who actually answered my question. For the record, we do print out copies of the challenge questions & passwords for our students to keep in a secure place, but many people lose or misplace them (one of the many consequences of having a non-stable living situation).
posted by chara at 8:06 AM on June 8, 2016 [2 favorites]

You might lower your loss rate a bit if you print the passwords on something slightly less than credit card size and then laminate them. It's harder to lose a credit card than a random scrap of notepaper.
posted by flabdablet at 12:46 PM on June 8, 2016

Related to your last comment, can you provide the secure place? Do you have some secure storage at your location where students can opt to keep their printed-out questions and answers?

When I did school technology, our teachers were required to password-protect their (pre-cloud) gradebooks, but there was no password reset or recovery option available. We had the teachers write their gradebook password on an index card, seal it into an envelope, and sign across the seal. The box of envelopes was then stored in the safe in the school's records office.

I know it's not ideal from an IT security perspective, but every situation requires people to balance security with the ability to actually *use* the technology.
posted by scarnato at 8:10 PM on June 8, 2016

I know it's not ideal from an IT security perspective

Looks fine to me, provided only that the people who control access to the records office are properly trained in resistance to social engineering. If the applicant can't provide some kind of proof of identity along with a signature that matches the one across the seal, they don't get the envelope: end of.
posted by flabdablet at 5:45 AM on June 9, 2016

« Older I need pants   |   Run, run, run run, everybody run run Newer »
This thread is closed to new comments.