So-called “security questions” like these are prohibited under various standards (there’s a NIST one that I can’t remember exactly, and OWASP ASVS) because they’ve always been really terrible at verifying it’s actually you answering them, and not just someone who happens to know the answer. Mother’s maiden name being the notorious example.
So-called “security questions” like these are prohibited under various standards (there’s a NIST one that I can’t remember exactly, and OWASP ASVS) because they’ve always been really terrible at verifying it’s actually you answering them, and not just someone who happens to know the answer. Mother’s maiden name being the notorious example.