American Express recently added these "3 questions" to my account, and it made me very mad. For one thing, their "request" was persistent; it eventually wouldn't let me log in until I provided them, so they were really a requirement. "For security", of course, even though there's evidence [1] they make security worse.
To make it more insulting, though, I discovered that the implementation was very dumb:
1. The questions were fixed, and extremely stupid. Any of them could probably be guessed by someone with a few minutes to Google.
2. The question lists were too short, making it difficult to pick a really hard-to-guess answer.
3. The lists were unique to each question. So if I saw 2 questions I liked in the first slot, I could choose only one of them, and if the 2nd slot had completely inane options, I had to choose one of the inane options.
4. The last question didn't even offer options that applied to me. So suddenly, for "security", I had to remember which unrelated question I selected, and which made-up response I provided. Thanks a hell of a lot, AE.
I worked with a system administrator once. He didn't understand two factor security. So he told everyone to remember two passwords.
Maybe he now works at American Express.
I see exactly the same thing with most "security improvements". Hence treat each answer as just another password! a random string of characters, numbers and punctuations.
I usually give a different email address to each service that I sign up to, so I can tell if they are selling my address, but I never thought of giving a different mother's maiden name so I can detect phishing. It's a reasonable strategy, but I have trouble remembering the name of my elementary school, my favorite color (I dont care), the make of my first car (my parent's or the one I actually paid for) ... However, I will trythe strategy of giving a couple of wrong answers to weed out the fakes.
The issue with providing an answer that is a meaningful response is that one can in fact guess and often get it right. Second, most sites that use these secret answers (favorite color, first car, ...) don't have a mechanism to lock out after a certain number of incorrect attempts.
This is a really good idea. You could have all the emails forward to one master account, and then when one started forwarding spam, you could cut it off.
To make it more insulting, though, I discovered that the implementation was very dumb:
1. The questions were fixed, and extremely stupid. Any of them could probably be guessed by someone with a few minutes to Google.
2. The question lists were too short, making it difficult to pick a really hard-to-guess answer.
3. The lists were unique to each question. So if I saw 2 questions I liked in the first slot, I could choose only one of them, and if the 2nd slot had completely inane options, I had to choose one of the inane options.
4. The last question didn't even offer options that applied to me. So suddenly, for "security", I had to remember which unrelated question I selected, and which made-up response I provided. Thanks a hell of a lot, AE.
[1] http://www.schneier.com/blog/archives/2009/05/secret_questio...