Signing up for insurance on the new health-care marketplaces can be challenging enough without having to remember your high-school mascot. Or your favorite childhood superhero, the manager at your first job or the street you lived on in third grade.
Those are just some of the security questions being offered to shoppers on the state and federal exchange sites as a way to verify their identities—and they are leaving some would-be customers flummoxed.
"I don't think they took baby boomers into account when they invented those questions," says Margo Benge, a 58-year-old massage therapist in Missouri City, Texas, who gave up trying to use the federal exchange when she was able to answer only two of the 12 questions offered, not the required three. "I barely remember two weeks ago, let alone childhood," she says.
V.J. Sleight couldn't find the requisite five questions to answer among the 30 offered by California's health exchange, which included "what is your significant other's favorite color?" "what is your youngest child's birth weight?" and "what color was your first bicycle?"
"I don't have a significant other. I don't have kids, and I can't remember that far back," she says. A self-employed breast-cancer survivor who has been eagerly waiting the chance to buy affordable insurance, Ms. Sleight abandoned the website and mailed in a paper application instead.
Banks, utilities and credit-card companies have used security questions to verify customers' identities for decades. One Baltimore savings bank asked depositors for their mother's maiden name to guard against unauthorized withdrawals in 1906.
Their use has exploded on the Internet, where retailers, browsers and storage sites often employ them as an inexpensive way to assist customers who forget their passwords.
As the questions became more familiar and more hackable, security experts have added multiple queries and increasingly turned to more personal—even existential—topics. (Among Citibank's online banking options: "If you could control your height, how tall would you be?")
Still, the volume and variety of security questions on the new health exchanges are catching some users off-guard.
Aaron Lerch, a software engineer in Indianapolis, selected "type a significant date in your life" as one of his three choices on the federal exchange and supplied his wedding anniversary—and was told "this is not a valid answer." He eventually realized he had written the date with an unauthorized slash.
Residents in the 36 states that use the federal exchange at HealthCare.gov all get the same 12 questions, from which they must pick three.
The 14 states that are operating their own exchanges supplied their own sets—with considerable diversity.
Among California's 30 choices: "What color was your first cat?" and "If you needed a new first name, what would it be?" New York's 19 options include "what is your favorite fruit or vegetable?" and "what band poster did you have on your wall in high school?"
Connecticut's 39 choices include "how many bones have you broken?" and "where were you when you had your first kiss?"
"I'd love to be able say we hired a professional comedian to come up with those, but that's not the case," says Jim Wadleigh, chief information officer of the Connecticut exchange, Access Health CT. Instead, he says, the site uses the same questions as the state's department of social services.
Some information experts have long warned that security questions are far from secure—particularly with so many people posting the names of their children, pets, schools, hometowns, favorite books, favorite bands and other personal information on social-networking sites.
In 2005, a hacker got into Paris Hilton's mobile phone account by supplying the name of her ubiquitous Teacup Chihuahua ("Tinkerbell"). Three years later, vice-presidential candidate Sarah Palin's Yahoo account was breached by a college student who said he found her birth date on Wikipedia and guessed where she met her spouse in just a few tries.
"There really are no good security questions," says Garry Scoville, who nevertheless runs the website goodsecurityquestions.com. To be even moderately secure, he says security questions should have answers that are safe (not easily guessed or researched); stable (not likely to change over time); memorable (so that users don't forget their own answers) and simple (to avoid multiple right answers that may be easy to confuse years later).
Mr. Scoville's site lists nearly 100 common security questions, rated "good," "fair and "poor." Many of the questions used on the new health exchanges are there, in all three categories.
Even "Where did you meet your spouse?" can be a trick question, says Katie Cunningham, a Web designer in Woodbridge, Va. "Whenever I see that, I have to step back and think, when did I fill this out? I've been married twice…oh man."
Studies have found that spouses, friends and other relatives were able to guess the answers to security questions more than 30% of the time—and that more than 20% of users forgot their own answers within three months.
Some people try thwarting guessers by supplying silly, random or completely fabricated answers to security questions (Mother's maiden name: Fgbt56#). But remembering such answers is hard, prompting some to write them down "on that sticky note on the side of their computer that says what your password is," defeating the purpose, says Bruce Marshall, founder of the website passwordresearch.com.
Officials at the government agency that runs the federal exchanges didn't respond to requests for comment. Officials in California and New York also didn't respond to requests for comment.
Some users say the "Live Chat" function on the exchanges has been equally unresponsive.
Ms. Benge, the massage therapist, says she tried explaining to the operator that she couldn't answer three questions because she didn't have a niece, didn't listen to the radio, didn't have a favorite cuisine and didn't know her parents' wedding anniversary.
The response was "if you come back later, there will only be one or two questions," she says. But when Ms. Benge tried again, there were still three.
Write to Melinda Beck at HealthJournal@wsj.com
- security questions