Security Questions Not So Secure

The Internet knows a lot about you, including your mother’s maiden name, your favorite food, and what street your first pet grew up on. And, according to some new research from Google, attackers have a good chance of figuring those things out pretty easily, too.

The security questions that Google and other companies ask users as part of account-recovery operations are seen by both security experts and users as more of an annoyance than a safeguard. Some of the information in the answers to these questions is relatively easy to find, through social media profiles and other places. And some of it is fairly easy to guess.

Google researchers put together a new paper that illustrates just how easy this process is for attackers, and by extension, the limited value of security questions. For example, Google found that with just one attempt an attacker could guess an English-speaking user’s favorite food 19.7 percent of the time. Within 10 attempts an attacker would have a 43 percent chance of guessing a Korean-speaking user’s favorite food.

Google’s research is based on hundreds of millions of security questions answered by users during the course of millions of account-recovery attempts, and what the researchers found is that questions with easy-to-remember answers aren’t secure and questions with difficult-to-remember answers aren’t useful. The company also discovered that some tactics users employ to make their answers more difficult for attackers to guess aren’t effective.

“Many different users also had identical answers to secret questions that we’d normally expect to be highly secure, such as ‘What’s your phone number?’ or ‘What’s your frequent flyer number?’. We dug into this further and found that 37% of people intentionally provide false answers to their questions thinking this will make them harder to guess. However, this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in,” Elie Bursztein, Google’s Anti-Abuse Research Lead, and Ilan Caron, software engineer, wrote in an analysis of the data the research produced.

The company’s research also revealed that 40 percent of English-speaking users couldn’t remember their secret question’s answer when they needed to. People aren’t great at this kind of thing, and adding more complexity to the process only makes things worse.

“According to our data, the ‘easiest’ question and answer is ‘What city were you born in?’—users recall this answer more than 79% of the time. The second easiest example is ‘What is your father’s middle name?’, remembered by users 74% of the time. If an attacker had ten guesses, they’d have a 6.9% and 14.6% chance of guessing correct answers for these questions, respectively,” the Google analysis says.

“But, when users had to answer both together, the spread between the security and usability of secret questions becomes increasingly stark. The probability that an attacker could get both answers in ten guesses is 1%, but users will recall both answers only 59% of the time. Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution, as a result.”

Some Web services are moving to the use of one-time codes sent via text as a part of the account-recovery process, which is a smoother and easier method.

Suggested articles