
Ask HN: Why are verification questions everywhere? - canadianwriter
I just got locked out of an important banking account because I couldn&#x27;t remember the answer to my verification questions...<p>I have mental issues that cause me to have a VERY bad memory.<p>Generally I use a password manager so I can still have unique and strong passwords for everything and I even use 2-factor when I can.<p>Verifications questions on the other hand: usually I am forced to have a unique answer to each one AND there are like 5 for each company that uses them and each company uses different questions.<p>I can&#x27;t use a password manager and I can&#x27;t reliably know the answers. Even something as simple as &quot;what&#x27;s your favourite movie&quot;... I don&#x27;t know. I like lots of movies? Did I pick a classic one from my childhood? A modern one that&#x27;s pretty cool?<p>Where was your first date? I have absolutely no idea.<p>first dogs name? I don&#x27;t know. I remember he was black. That&#x27;s about it.<p>Do they even add any security at all?
======
wglb
I use the "notes" field on 1Password for just this sort of thing. Plus, I make
them up, so if they ask me for my mother's maiden name, I would use something
like "plexitrough", or my first pet is "Fortran". And I use different ones for
different accounts.

To answer your final question, using the true answers to the question is in
fact insecure, and has been known to be so for nearly 10 years.

~~~
canadianwriter
Exactly! I might be able to do what you mentioned (great advice!) but the
average person most definitely will not!

------
twunde
I'm willing to bet that for many companies, it's part of their regulations or
pushed by their security teams as a best practice. The point was to add a
second factor of authentication, but one that didn't require you to have a
cell phone on hand. The problem is that it's very rare to find good questions
that you can remember years from now that's not easily discoverable by a
hacker. (I'm currently locked out of an Apple account because of this,
especially with their practice of requiring you to get all 3 verification
questions correct.)

------
gesman
If hacker stole your data from lousy credit rating bureau or alike - security
questions are not information commonly associated with your SSN.

Every merchant/sevice in this case keep their own "last line of defense" \-
your security Q/A's.

While being PITA sometime - they are offering a way to steer hacker away from
you to easier targets.

You don't know how many times some bad guy failed to answer your security
question and moved on.

But this does happen often.

------
canadianwriter
Not to mention, I now have to call in - using your company resources on a
call, wasting time with a call rep and not to mention pissing me off so I
might switch.

------
psyc
Not an hour goes by these days without a service forcing me to enter
information for security. It's so out of hand. Same basic tragedy of the
commons as every app thinking it belongs in the systray. Except now every
service thinks it needs to ask me questions, text my phone, check my ip, and
send warning emails every 15 minutes. And I'm not talking banks, here.

