Being able to say whether you like whale watching, country music and going to bookstores is a more secure way to verify your identity than your mother’s maiden name according to the SigCHI 2008 paper, Love and authentication. A lot of the so-called security questions ask for information that is a matter of public record, such as your mother’s maiden name or your city of birth. Markus Jakobsson, Erik Stolterman, Susanne Wetzel, and Liu Yang have looked at the kinds of questions you might answer for a match-making site which, as a collection, are unique to you and are quite hard to guess, even for folks who know you well. “When subsets with at least 16 questions are used, the resulting error rates are tolerable, and for subsets of size 24 or greater they are very low.”
I think it would be awkward to ask someone to fill out such a long form when they register for a site, but it would be intriguing if it could be somehow connected to the purpose of the site. For some applications, this could make registration more fun and more secure.
More info at www.i-forgot-my-password.com.