PSA: Dear Authentication Service Designers, don’t do security questions, especially if support can read them.
No one wants to give away private information that can potentially be used to “hack” other accounts that also have security questions (and answers).
The name of my 1st pet? How often have I answered that? The NSA knows the answer to that question for sure 😉
So every time I give away one piece of “information only I should know” I weaken my own security, and you, authentication designers weaken the security of your users.
But maybe that’s what you want anyway.