For enhanced security, we can use security questions and use them as a means for

Question

For enhanced security, we can use security questions and use them as a means for users to reset forgotten passwords or as an additional means for authenticating.

When would we be the right time to ask the user select the questions and set the answers?

1- at the time a new user creates a new account with the web application (enter username, password, and answer security questions)?

2- or at the time of first log in (after confirming the e-mail is valid)?

Is there any security and user experience factors to lean to one of these options?

Explanation / Answer

So you are still relying on one-factor authentication, something the user knows and are thereby gaining little in terms of security. What you want to do is implement something where the user gets a text message or some type of token sent to a device that they control.

However, to answer the question you posed from a pure UX experience don't ever ask them to supply a set of security questions unless the user explicitly requests to have their account be recoverable. This can be handled by allowing a user to edit their profile and mark a check box that says "I would like to recover my account". This process would then spawn a modal that has them generate security questions in the event they lose their password.

Related Questions

Navigate

• Browse (All)
• Browse F
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.