When setting up an online account at Fidelity Investments, I was first prompted to set up a single security question, and then to set up three more. Unfortunately I didn’t get an image of the original question and I don’t know what happened to it.
Fidelity is fairly clear how the questions and answers are used. If you press a “Why do I need this” link, the following pops up:
The first two sets of questions are fairly standard: most of the prompts involve information that can be determined with just a little research. I have to say that the “favorite restaurant in college” question is creative, but you can look on LinkedIn to find out where many people went to college, and find popular restaurants nearby (although my favorite closed long ago). But the third question is different and quite unusual: All the answers are 4 or 5 digits, and have very low entropy (around 8 bits for mmdd responses, even less for year of marriage [is this option for people who can’t remember their wedding date?]. Hopefully they need answers to all three.
After going through this, the user is congratulated:
My online account access is even more secure? No, it’s definitely not more secure if you create an additional way into my account. But it is good to know that I’ll get a confirmation — but why would e-mail take a few days? If a password reset was fraudulent, I would want to know right away.
Contributed by myself (Jim Fenton)