

Ask HN: Why don't sites let you write your own Secret Question? - AdmiralAsshat

Most of the sites I&#x27;ve used that utilize the Secret Question&#x2F;Secret Answer mechanism give you a dropdown list of common &quot;Secret Questions&quot; to choose from. Usually something along the lines of &quot;What is your mother&#x27;s maiden name?&quot;&#x2F;&quot;Where were you born?&quot;&#x2F;&quot;What was your childhood nickname?&quot; etc. It seems to me that at least half of these common questions are nothing more than demographic details that would be trivially easy to obtain by anyone actively seeking to break into your account.<p>Obviously I&#x27;m not obligated to be truthful with my answers--I could just use the &quot;Mother&#x27;s Maiden Name&quot; question as a prompt to enter my favorite Monty Python episode title, but I just don&#x27;t see why more sites don&#x27;t allow you to simply design your own secret question and create something that would stumble a would-be account thief.
======
tptacek
Because most of their users aren't technical and don't have any engagement
with the concept of authentication, but do immediately know and (expensively)
escalate if they lose their credentials. It's a way of reducing customer
service burdens without requiring customers to think.

------
jpetersonmn
I've been on some websites (retireonline JPMorgan retirement site to name one)
that when I went to reset password it asked me to answer all of these
'security questions' that I had supposedly answered before. These were things
I didn't even know and was sure that I hadn't really answered before. I called
the number and they reset my password, but I felt like they were just fishing
to get me to provide more data.

------
IAMSME
I believe that it's setup that way in order to maintain some sort of
standardization of questions and to prevent people from writing questions that
are easily guessable. That's not to say that it isn't doable, as I've had some
of my clients ask for this type of functionality before. Most of the time they
end up using a predefined (or OOTB - out of the box) list of questions.

Take a look at the following article as it describes the various forms of
identity proofing pretty accurately. [http://unissant.com/identity-proofing-
an-introduction/](http://unissant.com/identity-proofing-an-introduction/)

Companies have been moving to more complex forms of identity proofing (OTP or
Risk based) and it will be only a matter of time till it becomes more
mainstream.

I hope this answers your question.

------
Someone1234
Some do. The ones that don't typically employ phone support and want to be
able to confirm secret questions/answers over the telephone.

If you let people write their own, they might write things which the telephone
operators cannot read nor understand (e.g. foreign languages, inappropriate
things, etc).

But some places are just lazy, the fact they're still using insecure secret
questions in 2014 is within its own right proof of that. They're actually the
weakest link in many company's security systems.

------
auganov
Decision fatigue. Generally you want to reduce sign-up friction as much as
possible. The less forms one has to fill-in the better. Asking people to come
up with a question and explaining why they should care is just too much
friction. If you have a narrow set of questions the decision-making overhead
is much lower.

------
garysvpa
How can we expect users to create a good question within moments? Permitting
them to create a good question may increase user frustration, especially if
they are in a hurry. Aside from the fact, that IT professionals are the expert
and they are being paid to do that.

------
arisAlexis
because your question could be how much is 1+1 and that's not an extra
security measure

~~~
chrisBob
I use "What is Jack's name?" on throwaway registrations that let me ask my own
question. I agree that the sites that don't let me do that are probably trying
to protect me from myself.

Not letting me include the answer in the question might also be a good idea.

