Connect with us

Hi, what are you looking for?



Security Questions Don’t Offer as Much Protection as Web Users May Hope: Research

Security questions are sometimes offered as an extra layer of protection for web users. Unfortunately new research shows they aren’t quite as effective as many may hope.

Security questions are sometimes offered as an extra layer of protection for web users. Unfortunately new research shows they aren’t quite as effective as many may hope.

“Our findings, summarized in a paper that we recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism,” explained Google Anti-Abuse Research Lead Elie Bursztein and software engineer Ilan Caron in a joint blog post. “That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both.”

The researchers found that common answers shared between many users can pose a risk.

“For example using a single guess an attacker would have a 19.7% success rate at guessing English-speaking users’ answers for the question “Favorite food?”,” according to the paper. “Similarly, with a single guess the attacker would have a 3.8% success rate at guessing Spanish-speaking users’ answers for the question “Father’s middle name?”.”

In addition, questions that would be expected to be more secure because each user would have a separate answer are challenged by the fact that people don’t always answer truthfully. For example, the researchers found that with a single guess, an attacker would have a success rate of 4.2 percent at guessing English-speaking users’ answers to the question ‘Frequent flyer number?’. They would also be able to guess 2.4 percent of Russian-speaking users’ phone numbers with a single try.

“Many different users also had identical answers to secret questions that we’d normally expect to be highly secure, such as “What’s your phone number?” or “What’s your frequent flyer number?”,” Caron and Bursztein blogged. “We dug into this further and found that 37% of people intentionally provide false answers to their questions thinking this will make them harder to guess. However, this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in.”

Another challenge facing users is that it is simply not easy to remember the details required by many of the security questions, the researchers noted. For example, 40 percent of the English-speaking U.S. users in the study couldn’t recall their secret question answers when they needed to. Those same users however could recall reset codes sent to them via SMS text message and email 80 percent and nearly 75 percent of the time, respectively.

Advertisement. Scroll to continue reading.

“For English-speaking users in the US the easier question, “What is your father’s middle name?” had a success rate of 76% while the potentially safer question “What is your first phone number?” had only a 55% success rate,” Caron and Bursztein blogged.

“Secret questions have long been a staple of authentication and account recovery online,” they added. “But, given these findings it’s important for users and site owners to think twice about these.”

“We strongly encourage Google users to make sure their Google account recovery information is current,” they continued. “You can do this quickly and easily with our Security Checkup. For years, we’ve only used security questions for account recovery as a last resort when SMS text or back-up email addresses don’t work and we will never use these as stand-alone proof of account ownership. In parallel, site owners should use other methods of authentication, such as backup codes sent via SMS text or secondary email addresses, to authenticate their users and help them regain access to their accounts. These are both safer, and offer a better user experience.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.