Security questions are a terrible way to do security.
http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html

Please remove them from the Mojang account system or at least provide a secure alternative such as 2-factor authentication. Security questions are too easy to guess through common knowledge or even to brute force. Google provides some nice open source code that you can use.

https://code.google.com/p/google-authenticator/

Sample: http://blog.tinisles.com/2011/10/google-authenticator-one-time-password-algorithm-in-javascript/