“Secret Questions” pose security risk according to Google
New research conducted by Google suggests that the "security questions" utilised by web services are neither secure nor reliable enough to work as an account recovery mechanism.
"What was your first teacher's name?", "what street did you grow up on?" and "what is your favourite food?" are all examples of questions commonly asked by online services in attempt to verify a user's identity when they forgot their password. Despite their prevalence, Google Anti-Abuse Research Lead Elle Bursztein says security questions suffer from a fundamental flaw.
"Their answers are either somewhat secure or easy to remember – but rarely both," wrote Bursztein on Google's Online Security blog.
Google's research showed that easy-to-remember questions could be easily guessed using common knowledge and publically available information, or due to a small set of possible answers. The research was conducted by analysing hundreds of millions of secret question and answer combinations used for account recovery claims on Google's services.
According to Google, an attacker would have a 19.7% chance of guessing an English-speaking user's answer to the question "what is your favourite food?". With ten guesses, the likelihood increases to 36.5%.
The research also showed that an attacker would have a 39% chance of correctly guessing a Korean-speaking user's place of birth with just ten attempts, and a 21.3% chance of working out a Spanish-speaker's father's middle name.
A previously conducted study from 2008 demonstrated that 16% of users had made answers to secret questions publically available on social media. The same study also showed that 40% of secret questions had very few possible answers; "who is your favourite superhero?", for example.
Google also found that difficulty, more secure questions posed as usability problem.
"It’s not easy to remember where your mother went to elementary school, or what your library card number is," wrote Bursztein. "40% of our English-speaking U.S. users couldn’t recall their secret question answers when they needed to."
"Some of the potentially safest questions – 'what is your library card number?' and 'what is your frequent flyer number?' – have only 22% and 9% recall rates, respectively."
Bursztein dismissed the idea of using two security questions to verify ownership, saying that while it makes it harder for attackers, it also makes it harder for a user to recover their account.
As an alternative to secret questions, Bursztein recommends that online services let users authenticate themselves through a backup code sent to a text message or secondary email address, claiming both are much safer options.