What was your first pet's name?
What street did you grow up on?
What is your mother's maiden name?
What city were you born in?
Intended as a convenient and last-ditch workaround for forgotten credentials, security questions that rely on factual data have the unintended consequence of creating an additional attack vector. In addition to providing an additional attack vector if data is compromised, the question forms themselves present a potential hack method.
Despite the red flags raised by security experts (Krebs on Security has been banging this drum for almost a decade) and the National Institute of Standards and Technology removing KBA as a recommended authentication step, online services continue to make it part of their validation processes. For example, USPS expanded its use of knowledge-based authentication in its "Informed Delivery" service -- where scanned images of inbound mail are sent to postal customers -- in late 2017. The IRS will again be requiring KBA for account creation this year.
Massive breaches that are occurring throughout the world are impacting not only the email and hashed passwords of users, but also their security questions and answers. The fundamental limitations of this basic approach to knowledge-based authentication -- that the same questions are frequently used from service to service and that the answers to those questions for a specific individual do not change -- are realities brought to the forefront with high-magnitude breaches.
Although most consumers recognize the need to use unique passwords for each online account, many provide the same, factual responses to security questions. With each email address in the United States connected to 130 online accounts, on average, the risks associated with using the same responses to KBA security questions across multiple accounts are tremendous. Even if Company A maintains best practices by encrypting, hashing and securing the responses to KBA questions, there is a chance that Company B does not. In the instance of a breach of Company B, the data of Company A is at risk... unless additional security checks are in place.
A better route is to extend multi-factor authentication for users. Verifying user email or phone ensures that the user has access to their primary communication method -- which should then be the default resent path for forgotten passwords. By deploying progressive registration -- starting with a basic email & password combination and then gathering additional information as customers make repeat visits to your site or app -- companies open up the opportunity to request a secondary communication channel for additional authentication.