Online Security Questions Are Not Very Effective. I Still Love Them.

The website for an airline wanted to know what musical instrument I played: none, though once upon a time I played the piano, badly. It also wanted to know my favorite flavor of ice cream: cookie dough, probably, though it’s something of a tie with peanut butter cup. Finally, the website asked, “Who is your favorite artist?” It offered me a drop-down menu featuring comically disparate options — among them Banksy, Norman Rockwell, Gustav Klimt, Richard Serra and Shepard Fairey.

I have been asked all kinds of questions by the interfaces of major corporations for the purposes of “security.” Some security questions seem simple, almost cliché: “What is your mother’s maiden name?” (My mother kept hers, and then divorced.) “What color was your childhood house?” (Yellow, though first it was blue and then it was painted and then it was sold.) “Who was your childhood best friend?” (Annika — easy.) Others are more difficult, for their reliance on preferences, which they take to be fixed: favorite movie, favorite song, favorite color, even favorite activity. Sometimes they cut straight to the heart, as when I was given the option to select the security question “What is the love of your life?” (There was some odd poetry here — not “who,” but “what.”) I was trying to open a bank account when I found myself wondering, incongruously: What do I really love, above all else?

Online security questions have the feel of the icebreakers we might have played in middle school, or maybe second-date questions; they require us to self-define using arbitrary markers. They’re like treehouse secret passwords, in a game played with yourself. I have come to love them over the years, these sudden, strange, personal inquiries that guard our entrance into some of the internet’s most impersonal zones.

The assumption was that your mother’s maiden name would have faded so far into the past that almost no one else could possibly have known it.

Security questions were invented to solve a problem at once existential and practical: How can you prove that you are you? According to research done by Bonnie Ruberg, a professor at the University of California, Irvine, security questions came into being around 1850. The Emigrant Industrial Savings Bank was founded for Irish immigrants in New York, many of whom encountered discrimination at other banks. In the mid-19th century, banks often used signatures to authenticate people’s identities, but many of the Emigrant Industrial Savings Bank’s clients could not read or write. So it created a “test book” that contained a wealth of personal information. When clients came in, clerks asked them about their personal history and relations to verify their identities. Sometimes they even asked the quintessential question, “What is your mother’s maiden name?” (The assumption was that your mother’s maiden name would have faded so far into the past that almost no one else could possibly have known it.) This practice caught on and expanded to other banks over the course of the next 50 years — they came to be called “challenge questions,” or “question-and-answer passwords,” or, my favorite, “shared secrets.”

Unfortunately, security questions are not very effective for security in the age of the internet. They are often easy to guess (your mother’s maiden name, which may still be her last name, is widely accessible information). A 2009 study found that users’ acquaintances could predict their security answers 17 percent of the time. Digital-security experts advise that we do away with them in favor of two-factor identification and better methods of protection. And yet security questions linger, surprisingly hard to dislodge from the architecture of the internet, out of some combination of cost-cutting, technical challenges and inertia. We are in that strange moment of technological in-between, the impending and necessary twilight of the security question.

I love a shared secret — even one between myself and my online banking system — and am already beginning to mourn the loss of security questions. They feel like antidotes to the sameness of the contemporary internet. Unlike the homogenized corporate sites to which they grant you entry, security questions’ essential randomness feels like a vestige of a past internet. They are addressed to me, personally, out of the blue, and they prod me to consider what makes me uniquely me. They are artifacts of an era when society thought differently about what constituted identity and how to prove it, when who we were wasn’t rooted in the idea of objective documents like passports and driver’s licenses, but in personal, often hereditary knowledge that could be shared.

There is something beautiful about this alternative articulation of the self. Rather than presenting yourself as the sum of objective facts — eye color, height, place of birth — you are instead asked to choose a favorite song. There is something essentially childlike about this; when I was young, I held my preferences like talismans, as I tried both to locate myself in the world and tell others who I was. I selected a favorite baseball player, and repeated it over and over: Derek Jeter, Derek Jeter, Derek Jeter. (In a diary I kept when I was 9, I compared two friends and wrote that one of them was a better match for me because we were both “huge Yankees fans.”) These things fluctuate; they are inexact. But the shifting landscape of my tastes, affinities and random personal trivia are, I think, more essential to who I am than my date of birth. I am still surprised and delighted to encounter another person, a kindred spirit, who shares my favorite song.

Sophie Haigney is a critic and journalist who writes about visual art, books and technology.