What Can I Use as a Challenge Question?

Using a good challenge question is vital to securing your message. Here's some advice on what to use.


  • Consider your pre-existing knowledge of your client
    Do you know something about them that is not public knowledge? e.g.

    Q – If you decided to leave the UK which city would you choose to emigrate to?
     A - Toronto
  • Think about using information from the last conversation you had with them
    Did you talk about something you could reference? e.g.

    Q - Which shop were you going to after our last meeting?
    A - Boots
  • Consider the option of having a pre-agreed passphrase

    This can be agreed on a per-client or per-communication basis, with the passphrase being conveyed during conversations with your client. Alternatively, a company-wide policy can be decided, creating a phrase to be used across all secure emails sent to clients. However, this is significantly less secure than the per client/communication options.

    e.g. “During the course of your mortgage transaction, there may be times when we need to send information to you that is sensitive in nature. We will be using Mailock secure email to do this, where you will be required to verify your identity by providing the pre-agreed passphrase, which is *********”

  • Consider the circumstances that introduced the client to you and your firm
    Were they referred? Or did they find you through a network? e.g.

    Q - What is the surname of the lady who introduced my services to you?
    A - Middleton
  • Refer to any fact-finding documentation
    As fact-finds have a wealth of personal data, you may be able to find information to use as a potential question. e.g.

    Q - What year did you take out your first mortgage (enter the 4 digit year)
    A - 1991
  • Consider using a quote number/policy number/case number if using a generic inbox
    Use a reference which can easily be looked up, but that isn't publicly known. e.g.

    Q - Please provide the policy number for Mr A Smith DOB010101
    A - AB123456


  • Refer to readily accessible data
    Questions created based on information found on social media posts are not secure. If you can see it, so can everyone else. e.g.

    Q – What is the name of your dog?
  • Ask common-knowledge questions
    Questions should be personal to the recipient, not something which you would find in a pub quiz. e.g.

    Q – Who is the President of the USA
  • Ask a question that could potentially have multiple answers
    Ensuring your question has only a single, firm answer will ensure clients gain access every time. e.g.

    Q – Name one of your previous mortgage providers.


  • Explain what format the answer needs to be in
    When there are multiple ways of entering an answer, such as when asking for a date, provide your client with the required input format. e.g.

    Q – What is the expiry date of your home insurance policy – please use **/**/**?

In summary:

There are no hard and fast rules on how you should write a Q&A. Just aim to make your questions as personal as you can to each client. The rest is up to you!

Your Mailock ‘Trusted Community’

Keep in mind, if your recipient registers for a free 'read and reply' Mailock account they are added to your 'trusted community' of verified users once they have met the authentication challenge.  This means that you will no longer need to issue them identity challenges, although you can do so if you wish.

The easiest way for them to register is to click on the 'Reply' button after they have opened your secure message. Ask your recipient to reply back to you, even if it's just to confirm they've read your message.