Signing in to a service

Secret answer

A form on a website asking for a 5-digit passcode to login.


Access services by entering secret answers, that only the account owner should know. Passwords, numeric codes or answers to personal questions can all count as a secret.

IF thinks this pattern does not show care for people as they have to remember separate ‘secret answers’ for all the services they use. This means people often make up passwords or numeric codes that are easy to remember and insecure or use the same ones for multiple services. Instead, we recommend using other patterns such as authentication with a magic link or sign-up with another account.


  • People can choose secret answers they find easy to remember.
  • It’s a familiar pattern used in lots of services.


  • People choose secret answers that are easy to remember, often contain personal information and therefore are easy to guess, or find out.
  • People use the same secret answers for different services.
  • Remembering answers can be hard, so people write them down, which reduces security.
  • Forgetting (complicated or obscure) answers can mean being locked out of the service.


  • Most authentication uses a form of secret answer.