Security Question

Expanded Definition

A security question is a recovery factor that asks a user to recall personal information, such as a childhood address or first pet, to regain access after lockout or password reset. In identity security, it is a low-assurance control because the answer is often discoverable through social media, data broker records, or breach data.

Definitions vary across vendors on whether security questions count as a form of knowledge-based authentication or simply a legacy recovery mechanism, but no single standard governs this yet. In practice, they are usually evaluated alongside password reset flows, help-desk identity proofing, and account recovery policy. The NIST Cybersecurity Framework 2.0 reinforces the broader need to manage identity risk through stronger authentication and recovery processes, rather than relying on easily guessed facts.

For NHI Management Group, the key distinction is that a security question depends on human memory, while modern recovery should depend on verifiable, revocable, and audit-ready signals. The most common misapplication is treating security questions as a second factor, which occurs when teams assume memorized personal facts provide comparable assurance to possession-based or phishing-resistant methods.

Examples and Use Cases

Implementing security questions rigorously often introduces a usability and assurance tradeoff, requiring organisations to weigh faster self-service recovery against the risk of account takeover and support escalation.

• A consumer app asks for a mother’s maiden name during password reset, even though the answer can be inferred from public records.
• A help desk uses static questions to approve account recovery for a workforce user, despite the organisation already having MFA and device signals.
• A legacy portal stores question answers with weak hashing, creating a secondary credential repository that becomes attractive after a breach.
• An operations team documents recovery prompts in a runbook, but the questions remain unchanged for years, making them easier to research over time.
• An identity program replaces security questions with stronger recovery options informed by NIST Cybersecurity Framework 2.0 principles and lifecycle controls described in Ultimate Guide to NHIs.

These examples show that the term is not just about user convenience. It is about whether recovery can be resisted by basic research, insider knowledge, and credential stuffing workflows.

Why It Matters in NHI Security

Security questions matter because weak recovery is often the point where a strong login stack fails. Once an attacker bypasses normal authentication through support channels, the entire control environment is undermined. That is especially relevant in NHI security, where compromised identities can expose secrets, API access, and privileged automation paths. NHI Mgmt Group research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which makes any weak recovery workflow a serious governance issue.

In broader identity programs, recovery must be treated as part of the attack surface, not as a clerical backstop. The Ultimate Guide to NHIs emphasizes that visibility, rotation, and offboarding all depend on trustworthy identity lifecycle controls, while NIST Cybersecurity Framework 2.0 frames recovery as part of identity protection and resilience. Organisations typically encounter the consequences only after a phishing incident, support desk compromise, or breached customer dataset, at which point security questions become operationally unavoidable to address.

Related resources from NHI Mgmt Group

• Why has identity replaced the network perimeter as the primary security boundary?
• What is phishing-resistant authentication and how does it relate to NHI security?
• What is the first step in building a modern NHI security programme?
• Why is ownership assignment critical for NHI security?