Security questions are a common method of identity authentication—one you’ve probably encountered before. When creating an account or signing up for a service online, users will confidentially share the answers to secret questions with a provider. Typically, these security questions and answers are used for self-service password recovery—inputting the correct answer verifies the user and allows them to reset their password—though you can also implement security questions as an additional authentication factor for logins. However, we don’t advise relying on security questions alone for either of these use cases. While they’re simple to set up, security answers are hackable, guessable, and vulnerable to theft in much the same way that passwords are. That said, if you’re still interested in protecting your organisation with security questions, this blog post will help you understand what constitutes a good security question and answer, and the best practices for using them effectively. Types of.