KBA should be customer driven
D
Doug Mitchell
Everyone uses the same questions like "mother's maiden name", "1st pet", etc. I and at least 1 other independently started fibbing to avoid the obvious hazards (baddies can generally find these on the web, they are easily social-engineered, or stolen from one company they are good for all). Then of course we lost track of all the different fibbing for various companies (which one did I give maternal grandmother maiden name, which the paternal, etc.). Security questions should be created by _customers_ to be easily and reliably memorable yet different for every company and not so easily looked up. Like I might give challenge question "What's purple and commutes?", answer "An Abelian grape". Well , not quite a good example because that mathematician joke is findable on the web, but I have many others that are not. Bits of trivia from uncommon personal expertise, in-jokes, more obscure personal memories, anything one will never have to look up if the question is asked, but which will be hard to search or social engineer.
--Doug