Eliminating Security Questions for Authentication
Authentication should not use security questions as they can be easily compromised.
Plain language
This control is about stopping the use of security questions to verify someone's identity. These questions, like 'What is your mother's maiden name?', can be easily guessed or found out by others, putting your data at risk. If you keep using them, someone could pretend to be you and access sensitive information or take harmful actions without your knowledge.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Security questions are not used for authentication purposes.
Why it matters
If security questions remain, attackers can guess or obtain answers and reset accounts, causing unauthorised access and data breaches.
Operational notes
Audit authentication and account recovery flows to ensure security questions are removed and no fallback prompts appear in apps or helpdesk scripts.
Implementation tips
- IT manager should review current authentication processes: Start by checking whether any of your systems still rely on security questions for login or account recovery. Identify each system that uses them and document where changes are needed.
- System administrators should disable security questions: Replace security question-based authentication with more secure methods like two-factor authentication (2FA), which involves something you know and something you have, like a confirmation code sent to your phone.
- Business owners must liaise with service providers: For any third-party systems that use security questions, contact the vendors to discuss upgrading to more secure authentication methods. Request detailed guidance on how to switch to these stronger security measures.
- HR should educate staff: Ensure all employees know about the change away from security questions and why it's crucial, using clear, non-technical explanations. Regularly remind them of safer practices to keep their accounts secure.
- Communications teams should update your policies and materials: Refresh any documentation or user guides to reflect the removal of security questions. Clearly outline new authentication processes to avoid confusion.
Audit / evidence tips
-
Aska list of authentication methods: Request documentation showing all methods currently in use for verifying users' identities
Goodwill show updated methods such as two-factor authentication, with no mention of security questions
-
Asksystem change logs: Request records showing recent changes to authentication settings. Look to see that security questions have been removed and that two-factor authentication or similar has been added
Goodlog will have clear entries showing these updates with relevant dates
-
Aska staff communication record: Request evidence that staff have been informed about the change in authentication methods
Goodwill have clear messages sent to all employees with explanations of the change
-
Askupdated security policies: Request the most recent versions of authentication policies. Look to ensure that the policy no longer includes security questions as a method
Goodpolicy will outline secure methods like two-factor authentication
-
Askvendor communication records: Request a record of any communication with third-party vendors about removing security questions
Goodwill include emails or letters from vendors confirming the changes and implementation plans
Cross-framework mappings
How ISM-2076 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.17 | ISM-2076 prohibits using security questions as an authentication mechanism | |
| Annex A 8.5 | ISM-2076 requires that security questions are not used for authentication purposes | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.