Backup questions in the same channel can be almost as good as two factor using a second channel (e.g. cell phone), especially if the site you are accessing pretends the correct password you first enter is bad and if there are several backup questions the site can randomly pick. Moreover, the site can even pretend a bad password is good while providing garbage information. Normal users just have to be informed they might have to log in again if they get garbage. The underlying idea of both tactics above is to make a hacked entry hard to repeat and to make hacked information untrustworthy.
Biting the hand that feeds IT
