Ask Me Security Questions Only About Me

I’ve noticed a strange trend in security questions. Perhaps security-minded people think that too many people might know the standard questions. Maybe you know my mother’s maiden name, where I was born, or the addresses where I used to live.

The trend is to ask me questions about people the system thinks I’m associated with. Here is an example from a screen I faced in May 2023:

Image description: Photo of a screen asking in which city “Ellen Levitt” currently lives or owns property. The choices are four cities in Connecticut and “none of the above or I am not familiar with this person.”

I don’t know the answer to this. I really don’t. No clue. And I’ve been asked about this person before.

First, I thought about trying to Google “Ellen Levitt” to see if I can figure out where they live, but this was at a kiosk and I was being watched. So that tactic wouldn’t be the right one!

When I told the attendant that I didn’t know the answer and had nothing to do with this person, they suggested I select the last answer. The system accepted that answer, and I passed the security verification.

But what if “none of the above or I am not familiar with that person” is the wrong answer? I don’t want to fail a security check because I can’t guess where someone else lives.

Failing a security check can have outcomes a customer won’t want. We must consider this as well.

DEI means we must be more sensitive to people’s realities.

Public records might imagine that I have something to do with certain people, but public records have no idea what anybody’s reality might be.

• Is someone estranged from their family? This is too common for members of the LGBTQIA+ community, who are sometimes disowned or rejected by family. It might hurt them to see that family member’s name or be asked questions about them.
• Will a security system ask me about a deceased family member and stir up painful feelings?
• Will a security system ask me about an abusive ex-spouse I’d rather not think about?
• Will a security system show me 4 possible cities where someone who has a restraining order against me might live, and now I have a clue where they might be? That would be truly bad.

Asking about family members, especially parents, is as poor a security question as anything else. If you find out someone’s parents’ names, then you can look up where they live. Now you can answer this increasingly common security question.

I’ve been asked better security questions.

In the USA, I have been asked security questions about which car I owned or leased in a certain year. You’d need a good memory, but I thought that was a good one. Even my best friends might not remember what I drove in what year, but I’ll remember what I spent months paying for.

People might know my favorite sports team, my favorite ice cream flavor, favorite food, favorite subject in school, etc. These are common things friends tend to know about each other over time, so they don’t make great security questions.

I challenge identify verification industries and systems to come up with better security questions that are about me and only me, but are questions only I might know the answer to. OK, a spouse or my bestest bestest friend might know, but nearly the entire population of the earth won’t know, and hopefully won’t guess.

Better ideas…

Why are there always five answer choices? That’s a 20% chance of guessing correctly. How about a screen with 12 choices? That’s an 8.3% chance of guessing correctly. Ask three questions, and someone might by way less likely to guess correctly when three questions each have 12 possible answers.

I also think about how I do things in Italy. Let’s say I want to log into my online medical records. The website doesn’t let me in until I scan a QR code on the screen with an app, and verify myself in the app with a passcode or fingerprint.

The app previously verified me through multiple steps including submitting government IDs, a live photo of me, and some require me to video call someone who makes sure me face and info match my IDs. This took more time and effort to set up, but then it’s done. I can scan endless QR codes, and prove I’m me.

- - - - -

Delta CX is a full-service CX and UX agency and consultancy. We offer training, product and service strategy, and business change and business design consulting, including CX and UX research and design. We help businesses make and save money by improving teams, collaboration, processes, empowerment, agility, efficiency, and customer-centricity. Check us out at https://customercentricity.com.

Check out our new book, Customers Know You Suck. https://cxcc.to/ckys And join our Patreon community https://patreon.com/cxcc