What is the purpose of forcing people to provide "security questions" and answers to them?

Question

Am reinstalling Windows 10.

Dang. It forces me to provide no less than THREE security questions. I have to choose them among questions like, What was the name of your first pet and What city were you born in.

OK Windows might do this to convince me to use an online account. But it's not just Windows. There are MANY more examples. Last non-Windows example was the game Realm of the Mad God. And one more, perhaps the weirdest example: management account for my ISP (this includes viewing bills).

I fail to see the purpose of such questions. They ask to provide info that is, in case of most people, easily researchable. (I like to delude myself into thinking it is not in my case, but I wouldn't bet a penny on this). Even if it's not, the answers to such questions are easily brute-forcable (What was your mother's family name? Just check all most popular family names).

I'm a layperson in terms of security. So I may be wrong. But to my little brain, providing answers to these questions (and hence: asking the users to provide such answers) greatly weakens security instead of strengthening it!

And there come the issues of users who forget the wording of their original answer... Title of your favourite piece of music? Many titles can be stated in many ways. Or forgetting the actual answer... Name of your favorite childhood toy? Did I have one? Or even, the aforementioned favorite piece of music? This can change.

Does this practice improve security in any way? If not, then why do so many websites, so many products, so many companies force their users to provide answers for these questions?

Answer 1

You are essentially correct, they don't really "increase security." They are there to (nominally) increase user convenience in case a password reset is needed, at a cost to over-all security.

If you forget your password, many password reset mechanisms require you to answer these questions as a secondary form of proving it is you. these are a hold over from the days before most of this information was easily available, and assumed to be relatively secret.

If forced to use such a system, and you are concerned about security, you can either enter random garbage even you won't know, and take responsibility that you will never be able to use their password reset feature, but neither will a bad guy. Or, enter some other password or token you will remember, but is not the answer to the question.

Don't use anything sensitive for these fields, as you can assume that unlike passwords, they won't be hashed, and may be visible to Customer Service reps trying to verify you over the phone.

For best practice guidance, NIST declared that security questions should not ask users for specific information such as “What is the name of your pet” in the Digital Authentication Guideline publication SP-800-63B (section 5.1.1.2).

https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret

Answer 2

The point of the questions is that people often pick poor passwords that are easily guessable, and to provide another "password" to mitigate this. A better method like sending a text message to a phone number isn't always possible, and means people have to have their phone with them to login.

As you noted, this isn't always done very well, and the answers are sometimes able to be researched, have a very small number of possible answers (like what is your favorite color), or changes (what's the name of your youngest child).

Does this practice improve security in any way? If not, then why do so many websites, so many products, so many companies force their users to provide answers for these questions?

If it's done well, it can provide some additional level of security. If done poorly, it provides little or no additional benefit.