I recently got to renew my driver’s license online rather than go to the Department of Motor Vehicles office. Naturally, this required that I create an account at the DMV, and of course they had security questions for me to supply answers to. Two sets this time, but both with the same list of prompts:
Having only one list of questions of course is more limiting: you need to pick 2 out of 10 questions to answer (truthfully or not). There is a little creativity here: the question about the prom is not one I have seen elsewhere. But the question about who you voted for is terrible, since a 50 year-old person may have voted in only 7 presidential elections, and most likely voted for one of two people (immigrants have the possible advantage of unusual answers here). This narrows down further if you can estimate the person’s age, since they likely first voted close to the time they became eligible. So no more than 4 bits of entropy here, and perhaps less.
The context of the security questions here is more troubling. The registration form places these questions in between email address (which you need to enter twice) and driver’s license/ID number, date of birth, last 4 digits of Social Security Number, and driver’s license/ID issue date, all of which need to be answered truthfully in order for the registration to succeed. The placement of these questions discourages users from doing the secure thing, which is to make answers up.
Contributed by myself (Jim Fenton)