First Look: The Trouble with Challenge Questions

When Apple asked me who the best man in my life is, I could think of only one answer: Randy, my Bichon Frise, who's been with me for more than a decade.

As soon as I entered his name to sync my iPod up to my newish laptop, my screen's interface spat back an error message at me.

Thinking I mis-keyed, I tried his name again.

Denied once more.

Then I entered in my Dad's name.

Denied again.

I felt an identity crisis coming on and was reminded how this very issue came up at a storytelling competition I recently attended. A presenter told of a time when she got locked out of a personal account and was presented with a challenge question: What did you want to be when you were young? Like me, she couldn't recall the answer she had provided long before and felt perturbed — and curious — about the question and her original answer.

A login lockout and such free-form challenge questions may not cause everyone an existential moment; however, the above experiences are telling. Passwords are forgettable, and as financial services companies work to offer a better and more secure login, they should avoid challenge questions that can have multiple correct answers. Why? Sometimes the legitimate person can't prove he is who he says he is, and sometimes it's the question's fault — especially if it's asking for favorites and bests.

We set up our challenge questions and then our answers change. Breadcrumbs may float online (I mean you, Facebook), but that requires digging. The Mary Wisniewski of 2013 (into David Bowie, Proust, bingo, results) is different from the Mary of 2007 (into Coldplay, Sylvia Plath, roller skating, impromptu moments). My answers to questions I selected myself are bound to evolve. And fumbling for an answer feels like a strange game of Jeopardy: you can fail the game of you.

The poorly framed questions aren't always the large ones about life goals and love interests. Here are few more examples I've come across lately that may have more than one answer:

What is the first and last name of your childhood best friend?

What was your childhood nickname that most people don't know?

What was the last name of your favorite teacher in your final year of school?

To be sure, asking questions that go beyond publically available data can be helpful to retrieving accounts, especially those unlocking sensitive financial data. But the stronger the passwords, the harder they are to remember. In an excellent November article in Wired, author Mat Honan writes:

"Passwords need to be hard in order not to be routinely cracked or guessed. So if your password is any good at all, there's a very good chance you'll forget it—especially if you follow the prevailing wisdom and don't write it down. Because of that, every password-based system needs a mechanism to reset your account. And the inevitable trade-offs (security versus privacy versus convenience) mean that recovering a forgotten password can't be too onerous. That's precisely what opens your account to being easily overtaken via social engineering."

The point of the piece ultimately is the password is going away and with it the challenge questions that correspond to resetting one's credentials. Certainly, banks have their eyes locked on ways to improve authentication without inflicting too much pain on a customer. Frost Bank, for example, recently launched a four-digit PIN login for its mobile banking app.

Meanwhile, my colleague John Adams wrote a great article addressing some of the ways banks are rethinking the login in the years to come. Among the developments are fingerprints, facial recognition, voice recognition, iris scans, palm prints, device fingerprinting and mobile identity.

But the journey toward the password's extinction is still a journey ahead, and I, and my psychological demons, are eager for such developments to take place. So just remember: Question your questions in the meantime.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER