Google: Why 'Security Questions' suck for security

James Delahunty
22 May 2015 0:36

After some really interesting research results, Google is raising awareness about how unreliable "Security Questions" are for legitimate login authentication, password recovery and more.
Providers of Internet services have long asked their users to provide answers to questions about themselves which may be used for identity verification later. Typically, these questions are asked if a login is suspicious (unfamiliar location etc.) or as a layer of a password recovery process.
It turns out that this is an extremely unreliable layer of security. Hundreds of millions of secret question and answer combinations were analysed by Google, with the goal of (among other things) determining how likely it would have been for an attacker to guess the answers correctly.

---

See Also: Android reset flaw affects 500 million+ devices
See Also: Adult Dating Site hacked, sensitive user information leaked

---

One thing Google noted in its research is that answers tend to either be fairly secure while difficult to remember, or easy to remember while being insecure. There isn't much middle ground.
Easy and Insecure vs. Difficult and Secure
Sometimes answers can be guessed very easily. For example, Google found that an attacker had a 19.7 percent chance of answering "What is your favorite food?" correctly if the account holder speaks English. The answer? Pizza!
It also found that in some regions, last names are common and so a "mother's maiden name" could be guessed correctly. Then of course, you have to remember that some information can be found rather easily if the target has a social media account, such as a Pet's name, a city of birth, and so on (assuming the attacker knows the victim's identity well enough).
When it comes to difficult questions, the success rate is simply abysmal. For example, only 22 percent could remember their library card number, and 9 percent could remember their frequent flyer number, when prompted to do so.
The highest success rate came for the questions, "What city were you born in?" and, "What is your father's middle name?", with 79 percent and 74 percent answering correctly, respectively.
What Google recommends to services and users
Firstly, can the "Security Questions" layer be made more secure by simply adding more questions? The answer is no, because the more questions you add, the less likely an account owner will be able to answer them all correctly. For this reason, Google only ever asks one question, and it's the last resort when it has exhausted other means of verification.
Even for questions with a high success rate, there is a significant drop when they are asked together. If users are asked both their city of birth and their father's middle name, only 59 percent will manage to recall both.
The answer instead is to use more reliable forms of identity verification. Google recommends SMS and/or a backup e-mail address to which a unique code can be delivered. Security Questions should never be considered standalone verification of identity.
As for users, Google recommends you make sure your Security Questions across your accounts contain correct information and that you don't make the mistake of giving false answers under the illusion of increased security, given the chance it could backfire later on.

Sources & Recommended Reading:
New Research: Some Tough Questions for 'Security Questions': googleonlinesecurity.blogspot.com (+infographic!)
Paper summarizing Google's findings, presented at WWW 2015: research.google.com