I'm not a security expert, but I just can't see how adding security questions to an online account on top of a password is anything but a nuisance that just weakens security. Especially when most answers to these questions are just names or single words that are easily researchable online. Why is there so much expert advice on strong passwords, yet the industry doesn't condemn security questions? What am I missing? Am I just wrong here, or should there be a clear message to just get rid of them? I hate it when sites make me add security questions to my account; isn't it so much better to just let me reset a forgotten password through my email?</rant>
We've gotten rid of ours and replaced it with a token/reset system (online) and human verification when the online methods can't be validated. We have 80+ years of customers, and many will never be comfortable with online verification.<p>One of the arguments used against keeping 'security' questions was one of asking if the fields had any business or even marketing purpose, if not security. We all know how easy it is to find out someone's mother's maiden name or high school, and letting someone set their own questions and answers isn't much better. "Do we need to keep a database of 900,000 people's favorite color to be more secure?" was a good thought to start the meme.<p>The security questions were doing us no favours and helped bring our 43-field registration system down to three fields (email, password, membership number). Users are then sent a token via the email, and don't exist in the online system until the token is redeemed. Resets work the same way, disallowing access to the site until the reset token is used, with Devise (Rails).