re: Why don't websites allow users to create their own security questions? VIEW POST


Because security questions are an additional attack vector and should not be used at all. The dev-time is better invested in enforcement and encouragement of long & secure passwords and 2FA.


What would be your workflow for password reset? That is the typical use case for security questions.

code of conduct - report abuse