Security Questions provides administrator configurable challenge questions for use during the log in and password reset processes. Think of it like most bank website logins.

Log In Process

If enabled, depending on the selected protection mode, the log in form is altered in 1 of 2 ways:

  1. To just show the username field and a submit button. Once a user enters their username, the module searches for their account, and randomly brings back one of their security questions. They then need to provide the answer to the questions as well as their password for authentication.
  2. To show both the username and password fields up front, then after validating the supplied username and password, the user is prompted with a randomly selected question they have answered.

Password Reset Process

If enabled, the user is required to answer a question before the password reset process could continue.

The user register form also gets a fieldset of questions so that the user can pick what question they want to answer and a textbox for their answer.

Once logged in, the user will see a tab on their account page called "Security Questions." This page lists the questions that they have chosen to answer, and provide a link for them to edit their answer.


  • Admin configurable questions
  • User supplied answers
  • Option to allow user supplied questions
  • Option to have questions before or after username & password verification
  • Bypass-able by permission
  • Challenge on lost password request
  • Configurable cookies to show or hide the questions
  • Feature requests are accepted. Just post in the issue queue


  • The D7 version has no outside dependencies.
  • The D6 version depends on ctools for the user supplied questions feature (dependent fields).


The 7.x-1.x/6.x-1.x branches of Security Questions are now bug fixes only. All new feature requests will be added to the 7.x-2.x/6.x-2.x branches.

Other Modules

Riddler is a sub module of Captcha and therefor requires it. Security Questions has no external dependencies, and only works on the log in / register forms. In addition, Riddler uses admin configured questions and answer pairs. Security Questions lets the admin come up with questions, and then lets the users submit their own answer to the question.

Supporting organizations: 

Project Information