DEV Community

Garvin
Garvin

Posted on

Why don't websites allow users to create their own security questions?

For those who are part of a team responsible for security on a web application, is there a reason why most sites don't allow users to choose their own challenge/security questions?

Top comments (9)

Collapse
 
niorad profile image
Antonio Radovcic

Because security questions are an additional attack vector and should not be used at all. The dev-time is better invested in enforcement and encouragement of long & secure passwords and 2FA.

Collapse
 
garvinc profile image
Garvin

What would be your workflow for password reset? That is the typical use case for security questions.

Collapse
 
niorad profile image
Antonio Radovcic

Enter E-Mail -> Receive Reset-Link

Collapse
 
tarialfaro profile image
Tari R. Alfaro

I don't know, but it's bad practice that they do that. In my personal projects I've implemented individual defined security questions.

Some comments may only be visible to logged-in visitors. Sign in to view all comments.