For those who are part of a team responsible for security on a web application, is there a reason why most sites don't allow users to choose their own challenge/security questions?
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (9)
Because security questions are an additional attack vector and should not be used at all. The dev-time is better invested in enforcement and encouragement of long & secure passwords and 2FA.
What would be your workflow for password reset? That is the typical use case for security questions.
Enter E-Mail -> Receive Reset-Link
I don't know, but it's bad practice that they do that. In my personal projects I've implemented individual defined security questions.
Some comments may only be visible to logged-in visitors. Sign in to view all comments.