Security Questions in 2025: Recovery Crutch or (Bad) Second Factor?

Security questions (“What was your first pet’s name?”) have been used for decades to prove “something you know.” Today, they mostly show up in two places:

  1. Account recovery (“Forgot password?” flows), and
  2. Step-up or second-factor challenges at sign-in.

This post examines both uses—where they help, where they fail—and what current NIST guidance says in 2025.

TL;DR (for Decision-Makers)

  • NIST no longer recognizes security questions / KBA as an acceptable authenticator. Verifiers SHALL NOT use knowledge-based authentication (KBA) for authentication per SP 800-63B.
  • Use them only if legacy systems require it—and only for recovery, not as a factor.
  • Prefer modern recovery mechanisms: verified email/phone, MFA setup, recovery codes, and human-assisted ID proofing.

1) Security Questions as a Recovery Mechanism

Where They Seem to Help

  • Frictionless fallback: Users don’t need devices or apps to recover accounts.
  • Low implementation cost: Easy to add to legacy systems.

Why They Fail in 2025

  • Guessability & researchability: Answers often public via social media or data leaks.
  • Memorability issues: “Favorite” things change; spelling errors cause lockouts.
  • Breach reuse: Attackers reuse stolen Q&A data across sites.
  • Non-compliance: NIST explicitly forbids KBA/security questions for authentication.

If You’re Stuck with Them (Hardening Checklist)

  • Question quality: Use random, high-entropy prompts; allow custom answers.
  • Answer handling:
    • Require minimum length and block common answers (“blue,” “dog”).
    • Hash and salt answers like passwords.
    • Rate-limit attempts and add IP/device risk checks.
  • Operational controls:
    • Rotate questions on reset; never reuse old ones.
    • Detect stuffing attempts; monitor anomalies.
    • Always pair with verified email/phone challenges.

Better Recovery Patterns

  • MFA-based resets: Verify possession via TOTP, push, or key.
  • Recovery codes: Issue one-time offline codes at enrollment.
  • Out-of-band verification: Verified channels with SIM-swap protection.
  • Human-assisted recovery: ID proofing for high-assurance cases.

2) Security Questions as a Second Factor

Using security questions during every login as a “second factor” is strongly discouraged:

  • Not independent: Still “something you know,” not true MFA.
  • Phishable and guessable: Easily social-engineered.
  • Non-compliant: NIST SP 800-63B removes KBA from approved authenticators.

Better Second Factors

  • TOTP / Authenticator apps (Google Authenticator, Authy, etc.)
  • Push approvals with number matching and replay protection.
  • WebAuthn / FIDO2 (passkeys) for phishing resistance.
  • Hardware tokens for offline environments.

3) What NIST Says (2024–2025)

SP 800-63B (Digital Identity Guidelines – Authentication & Lifecycle) states that verifiers
SHALL NOT use knowledge-based authentication (security questions) for authentication or password recovery.

The NIST 800-63 FAQ also clarifies that knowledge-based authentication
is no longer an acceptable authenticator.

Bottom line: NIST does not recommend security questions for authentication. They are deprecated.

4) Implementation Guidance by Use Case

For Recovery

  1. Freeze scope: Don’t add new users; move to MFA-based recovery.
  2. Compensating controls: Strength checks, rate limits, anomaly detection.
  3. Sunset plan: Migrate to passkeys/TOTP and remove questions once complete.

For Second Factor

  1. Stop treating questions as MFA. They add no diversity.
  2. Migrate to real factors: TOTP, WebAuthn, hardware tokens.
  3. Add risk checks: Device binding, geo-velocity, impossible travel detection.

5) UX & Privacy Considerations

  • Protect answers as PII: Handle like passwords; minimize collection.
  • Reduce friction: Avoid multi-screen Q&A flows; prefer passkeys.
  • Accessibility: Passkeys and MFA apps now have broader device support; security questions don’t add inclusivity.

6) A Pragmatic 12-Month Roadmap

  1. Policy: Update standards to prohibit KBA/security questions.
  2. Technology: Enable passkeys/WebAuthn, TOTP, and recovery codes.
  3. Risk Management: Add rate limits, IP reputation checks, and credential screening.
  4. Communication: Encourage users to enroll stronger factors.
  5. Decommission: Remove questions from login and recovery once adoption reaches threshold.

References

Bottom Line

Security questions are obsolete for authentication and only marginally acceptable as a
temporary recovery fallback. Replace them with passkeys, WebAuthn, TOTP, and recovery codes
to align with NIST SP 800-63B and modern identity security best practices.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

 Twitter Linkedin