but security question should not be part of token based auth