Connect with us

Hi, what are you looking for?



Security Questions Don’t Offer as Much Protection as Web Users May Hope: Research

Security questions are sometimes offered as an extra layer of protection for web users. Unfortunately new research shows they aren’t quite as effective as many may hope.

Security questions are sometimes offered as an extra layer of protection for web users. Unfortunately new research shows they aren’t quite as effective as many may hope.

“Our findings, summarized in a paper that we recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism,” explained Google Anti-Abuse Research Lead Elie Bursztein and software engineer Ilan Caron in a joint blog post. “That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both.”

The researchers found that common answers shared between many users can pose a risk.

“For example using a single guess an attacker would have a 19.7% success rate at guessing English-speaking users’ answers for the question “Favorite food?”,” according to the paper. “Similarly, with a single guess the attacker would have a 3.8% success rate at guessing Spanish-speaking users’ answers for the question “Father’s middle name?”.”

In addition, questions that would be expected to be more secure because each user would have a separate answer are challenged by the fact that people don’t always answer truthfully. For example, the researchers found that with a single guess, an attacker would have a success rate of 4.2 percent at guessing English-speaking users’ answers to the question ‘Frequent flyer number?’. They would also be able to guess 2.4 percent of Russian-speaking users’ phone numbers with a single try.

“Many different users also had identical answers to secret questions that we’d normally expect to be highly secure, such as “What’s your phone number?” or “What’s your frequent flyer number?”,” Caron and Bursztein blogged. “We dug into this further and found that 37% of people intentionally provide false answers to their questions thinking this will make them harder to guess. However, this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in.”

Another challenge facing users is that it is simply not easy to remember the details required by many of the security questions, the researchers noted. For example, 40 percent of the English-speaking U.S. users in the study couldn’t recall their secret question answers when they needed to. Those same users however could recall reset codes sent to them via SMS text message and email 80 percent and nearly 75 percent of the time, respectively.

“For English-speaking users in the US the easier question, “What is your father’s middle name?” had a success rate of 76% while the potentially safer question “What is your first phone number?” had only a 55% success rate,” Caron and Bursztein blogged.

Advertisement. Scroll to continue reading.

“Secret questions have long been a staple of authentication and account recovery online,” they added. “But, given these findings it’s important for users and site owners to think twice about these.”

“We strongly encourage Google users to make sure their Google account recovery information is current,” they continued. “You can do this quickly and easily with our Security Checkup. For years, we’ve only used security questions for account recovery as a last resort when SMS text or back-up email addresses don’t work and we will never use these as stand-alone proof of account ownership. In parallel, site owners should use other methods of authentication, such as backup codes sent via SMS text or secondary email addresses, to authenticate their users and help them regain access to their accounts. These are both safer, and offer a better user experience.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Check Point Software has appointed Nadav Zafrir as Chief Executive Officer

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

More People On The Move

Expert Insights