Because many users forget their passwords, web sites which require a username and password often have an option to allow you to reset your password. They can’t simply let anyone reset your password, or else hackers would reset the passwords of any accounts they wished to get access to, so the site still needs to verify your identity somehow. This leads to a catch-22, because the whole point of your password in the first place was to verify your identity. You’re stuck in a situation where you need to verify your identity so that you can reset your password so that you can verify your identity.

I believe security experts have categorized the methods of identifying someone into three broad categories: Something you have (keys), something you are (biometrics) or something you know (passwords) The first two methods are infeasible over the internet, which is why “something you know” is pretty much the only way websites have of verifying your identity. Under ideal situations, users would “know” their passwords, but since in practice sometimes they don’t, sites need to ask about something else the user would know to verify their identities.

Thus, these “secret questions” are basically a second password, and in poorly designed security systems, they can be used as an alternative to the password. Let’s say the user is very security-conscientious and chooses a strong password like “xZTFnpoC9Hj2fOsV5vh7”. The strength of that password is rendered moot if someone can get access to the account simply by answering a secret question like “What if your mother’s maiden name?” or “What highschool did you go to?”, information that is often easily findable by doing a bit of Googling.

These weakness can be mitigated somewhat by having it such that when someone successfully answered the security question, that person is not immediately granted access to the site, but instead an e-mail is sent containing the new, reset password, to the e-mail address the account holder originally associated with the account. This has its own difficulties, as sometimes users do not want to divulge their e-mail information (for fear of spam), or if the user doesn’t have an e-mail account at all (e.g. when the site they are trying to get access to is their e-mail, such as Hotmail or GMail).

Researchers at Microsoft prototyped an alternative system on Hotmail where instead of asking a secret question, you were asked to have some trusted friends vouch for you. When signing up for a Hotmail account, the volunteers were asked to list a number of friends as “trustees”. When you wanted to reset your password, your friends would each be sent a different pieces of the reset code. You’d have to gather a certain amount of those codes from your friends and submit them to the site to regain access.

When I say “a certain amount of those codes”, I mean for example if you specified 4 friends, all 4 friends would be sent different codes, but you’d only need to gather 3 of them. You want to ensure that more than 1 code is needed to reset your passwords, to avoid any one of your friends being able to break into your account. By requiring a high percentage, like 3 out of 4, your friends would only break in if they were conspiring against you (in which case you’ve got bigger problems), or if something exceptional happened (you died, or went into a coma, and your loved ones needed access to your account). A solo former-friend couldn’t backstab you.

You also don’t want to require 100%, because a friend might become unavailable (they forget their password, they go on vacation, they stop being your friend, they die, etc.), which would make it impossible to reset your password.