This article was been published more than a year ago. The information may be outdated.
I was recently asked to update my security questions at a reputable site. They wanted three of them, and I filled them out. Once I’d done so, I became somewhat uneasy. The reason is that the questions were all pre-sets, not questions that I chose myself. More worryingly, they either had answers that frequently change (favourite actor, movie, or band), have no correct answer (first pet), or (and to my mind worst of all) are easily researched (names of family members and friends).
So, if they are so bad, what is a better solution? Two factor authentication. There are several approaches to this, but they all boil down to adding another layer of security. My preferred solution is a random number generator (such as SecurID tokens, or the use of apps such as Google Authenticator), but pre-generated lists of single use codes are good, too.
My point is this: Security questions are the least social engineering-proof method of authentication there is, and should be done away with.