Remember that they aren't entering a secret question, they are entering a secret answer that is associated with their email address. I need their email address so that I can retrieve the secret question from their profile in the database in order to prompt them for their secret answer.
I like the idea of validating all three things at once (email address, secret question, and secret answer), but how will they know the secret question they selected when they set up their profile at the same time they are supplying their email address? That's the part I must be missing since it seems that I'd have to validate their email address in order to retrieve their secret question from the database for that email address and then to display it to them so that they could enter their secret answer. I'm only validating against their email address and secret answer, the secret question is required as a reminder for their secret answer.
The assumption that a secret question and answer can be easily guessed isn't correct. Although I gave an example such as "What is the name of your favorite pet?" (which is not necessarily an easy-to-guess question), our questions are actually a lot more stringent than that. We are dealing with secret questions that have to do with billing account number, customerID numbers, etc. That info is considered to be proprietary info that is not supposed to be accessible outside of our company and theirs.
By the way, it's about security more than anything else when it comes to requesting a password. They won't be jumping through hoops all the time, just when they forget their password. If you want to see an example of complexity, log into your Paypal account if you have one and click on forgot password. We are doing something somewhat similar.
p.s. thanks for bearing with me on this. I didn't want to get into the details too much due to an NDA, but I can tell you more in a private email if you'd like a better understanding of what we are running in to.