When customer has secure device challenge-response authentication in addition with email notification is enough. Mother's maiden name or equivalent does not give any additional security. With bare userid/passwd authentication situation is different.
so why is IB the only financial institution (I know of) that has security set up this way? In any bank a security consists at maximum of username/password/STP.
That was then.... I'll agree it is a pain in the ass and the deadline window is absurd. "Times are a chang'n".