Security questions are sometimes offered as an extra layer of protection for web users. Unfortunately new research shows they aren’t quite as effective as many may hope.
“Our findings, summarized in a paper that we recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism,” explained Google Anti-Abuse Research Lead Elie Bursztein and software engineer Ilan Caron in a joint blog post. “That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both.”
The researchers found that common answers shared between many users can pose a risk.
“For example using a single guess an attacker would have a 19.7% success rate at guessing English-speaking users’ answers for the question “Favorite food?”,” according to the paper. “Similarly, with a single guess the attacker would have a 3.8% success rate at guessing Spanish-speaking users’ answers for the question “Father’s middle name?”.”
In addition, questions that would be expected to be more secure because each user would have a separate answer are challenged by the fact that people don’t always answer truthfully. For example, the researchers found that with a single guess, an attacker would have a success rate of 4.2 percent at guessing English-speaking users’ answers to the question ‘Frequent flyer number?’. They would also be able to guess 2.4 percent of Russian-speaking users’ phone numbers with a single try.
“Many different users also had identical answers to secret questions that we’d normally expect to be highly secure, such as “What’s your phone number?” or “What’s your frequent flyer number?”,” Caron and Bursztein blogged. “We dug into this further and found that 37% of people intentionally provide false answers to their questions thinking this will make them harder to guess. However, this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in.”
Another challenge facing users is that it is simply not easy to remember the details required by many of the security questions, the researchers noted. For example, 40 percent of the English-speaking U.S. users in the study couldn’t recall their secret question answers when they needed to. Those same users however could recall reset codes sent to them via SMS text message and email 80 percent and nearly 75 percent of the time, respectively.
“For English-speaking users in the US the easier question, “What is your father’s middle name?” had a success rate of 76% while the potentially safer question “What is your first phone number?” had only a 55% success rate,” Caron and Bursztein blogged.
“Secret questions have long been a staple of authentication and account recovery online,” they added. “But, given these findings it’s important for users and site owners to think twice about these.”
“We strongly encourage Google users to make sure their Google account recovery information is current,” they continued. “You can do this quickly and easily with our Security Checkup. For years, we’ve only used security questions for account recovery as a last resort when SMS text or back-up email addresses don’t work and we will never use these as stand-alone proof of account ownership. In parallel, site owners should use other methods of authentication, such as backup codes sent via SMS text or secondary email addresses, to authenticate their users and help them regain access to their accounts. These are both safer, and offer a better user experience.”