Users, however, often set up the answers to their secret questions at the same time as their user ID and password. So months later, when they have to answer a secret question, they've already forgotten the secret answer too, defeating the whole point of KBA.
There are also design and implementation issues with KBA. How many questions should be used? Should a series of prepared questions be offered to users at registration, or should users be allowed to make their own up? Usability studies have shown that KBA systems often confuse users, and they do better when offered a set of canned questions to choose from. Other studies have shown that requiring users to answer two questions isn't much more secure than having them answer one.
There can be other complications with KBA as well. One is cultural issues, particularly if your company operates internationally. Questions that are perfectly reasonable in one country may be either irrelevant or offensive in another. Security is another matter. The famous "mother's maiden name" question has already been compromised by identity thieves. One of the first destinations of a credit card thief is often a genealogical Web site in order to obtain this information on their victims, using that small bit of information to eventually steal a victim's complete identity.
When it comes to formulating the perfect KBA question, unfortunately there is no formula. Questions fall into two categories: factual, like "What was the name of your high school?" or "What city were you born in?" or, they can be about preferences, as in "What is your favorite color?" or "What is your favorite food?"
If privacy is a concern, the best mix of questions should probably come from both categories. For factual questions, a best practice could be to use information that the enterprise already has, as you suggest.
An interesting product you might want to take a look at is ExpectID IQ from IDology Inc. ExpectID is a service that creates questions from public records. The product generates neutral questions, like information about someone's prior address.
It's worth noting that security guru Bruce Schneier has said that secret questions actually lower security. Schneier claims that answers to secret questions are actually weaker than passwords, since they are basically easily guessed words. And, since they're used for bypassing passwords, they weaken rather than enhance the security of user ID and password systems.
For more information:
This was first published in April 2007