I’ve always been slightly annoyed with ‘secret questions’ that aren’t secret, and consequently have for ages always made up an answer and if its been for a website I’m going to want to use again (rather than one of of those annoying websites that force you to register just to become a one-off customer of theirs) will keep a record of my answer somewhere.
Well I had classic confirmation of what a waste of time such things can be today. I had an online account with a large retailer that wanted to know my favourite colour. So I found something suitably obscure – at the end of the day there are plenty to choose from!
Now I can understand why the use of a second shared ‘secret’ (as long as it really is a secret) might be useful in an online system where you need some kind of assurance that the remote person is who they say they are. But in this case, my wife was in the store doing something and they needed the answer to the secret question. Of course, she didn’t even know the question let alone my obscure answer.
Now normally, she would probably have rang me to see if I knew or could find out, but in this case the store assistent said ‘never mind, lets try some’ … and typed in ‘red’, ‘blue’, and so on. Then he said, oh, I’m not sure what other colours to try … so he rang their main office and explained that a customer was in store wanting to change something, but couldn’t remember her secret question answer … and then they asked to talk to her and asked for some personal details (date of birth, address, that kind of thing) and then promptly told her the answer to the question!
So, first of all, for the in-store situation, it just shows that it was totally unecessary to need the secret question at all – she was there, with account numbers, physical artifacts, personal knowledge, a store loyalty card – they really didn’t need anything else to know who she was – as evidenced by the fact that they were quite happy with all this information in order to disclose the secret answer!
And secondly, if the secret question is to be of any use, then they really can’t just put customer service over security and give it out to anyone who happens to be in the store, confident, annoyed with their systems and who happens to be armed with enough of someone’s personal information to sound convincing!
So – in summary, security is fine, but not at the expense of customer usability. However, if customer usability just blows holes an any security defenses, and no one seems to mind, then someone should really be asking some serious questions about the need for such security in the first place! Also, while I’m at it, this also shows that something that can be secure enough in one context (e.g. online transactions) can be totally pointless in a different context (i.e. when the same system is used ‘in person’).
I suppose I also should point out that a security question that a huge majority will answer with, I assume, something like one of only twenty odd values is also a bit meaningless. So in future, when asked for your favourite colour for a security question – I recommend getting a little more inventive. Just don’t forget to make a note of it somewhere!