1) yes, this can be done, we dont have concrete steps to accomplish this, but if you have an understanding of databases, it should not be to difficult.
You would create a table that had a list of the available security questions. the table should contain an ID column and text column. The text column will be the text of the question.
On the registration page, crate a recordset to return all of the available security questions. Create a select list, make it dynamic to pull the labels from the text column of the recordset and set the value to the ID column of the recordset.
You will also need to add a text field for the user to type their answer.
On the users table, create 2 new columns. the first will be a foreign key relation to the ID column of the questions table the secon will be a text column to hold the answer.
In the Insert record server behavior, set the Foreign key column to get the value from the question select list. Set the answer column to get the value from the answer text field.
2) For this, you can no longer use the Security Assist email Password server behavior.
On the email password page, you need to add a recordset to return all the questions from the question table. A select list that is dynamically populated with the questions recordset, the label is the text column, the value is the ID column. And add a text box for the answer.
You then need to create a lookup recordset to query the users table. Filter the email column on the email form element, the question column on the Question select list and the answer column on the answer text box.
UseUniversal Email to send the email. Set the trigger to the lookup recordset NOT empty. For the To address use the email column from the lookup recordset.
3) security assist does this already. When a user logs in, a session variable is created that contains the ID value from the users table. This ID value is used to filter the records to return records that belong to them. take a look at how the recordset on the profile page is created.
if you are going to store information unique to the user in other tables, just make sure there is a column in the table to create a foreign key relation to the user, and store the session variable value in that column.