re: Why don't websites allow users to create their own security questions? VIEW POST

FULL DISCUSSION
 

Because security questions are an additional attack vector and should not be used at all. The dev-time is better invested in enforcement and encouragement of long & secure passwords and 2FA.

 

What would be your workflow for password reset? That is the typical use case for security questions.

 
code of conduct - report abuse