The security questions that many websites ask to help users gain or recover access to online accounts do little to improve security. In fact, they are neither reliable nor secure enough to be used as a standalone authentication mechanism for account recovery purposes, Google said in a new report.
Researchers at the company analyzed hundreds of millions of answers to secret questions that people have provided to Google over the years after forgetting their passwords or being asked to provide additional authentication to gain access to their accounts.
They then set out to see how easy or difficult it would be for malicious actors to try and guess those answers and discovered that it is easier than many might assume.
With a single guess, an attacker would have a nearly 20 percent chance of accurately guessing that an average English-speaking user’s answer to the security question “What is your favorite food” would be "pizza."
In about 10 guesses, they’d have the correct answer to an Arabic-speaking user’s first teacher’s name, a 21 percent chance of guessing a Spanish-speaking user’s father’s middle name, a nearly four in 10 chance of guessing a Korean user’s city of birth and a 43 percent chance of correctly guessing their favorite food.
One problem, according to Google researchers Elie Bursztein and Ilan Caron is that people often tend to fib when choosing their responses to security questions. A survey of Internet users that Google conducted showed that about 37 percent admitted to providing fake answers to security questions apparently in a bid to make them harder to guess, the two researchers wrote in their blog post announcing the results of their analysis.
Ironically, this behavior only has the effect of making such answers easier to guess because people on aggregate tend to make their answers harder in a predictable way, the researchers said. Many users for instance had identical answers even to questions that should have generated unique responses, like "what’s your frequent flier number." That’s because in choosing to provide a fake answer, people tend to gravitate towards a predictable set of answers, the Google researchers said.
“People intentionally provide false answers to their questions thinking this will make them harder to guess. However this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in.”
At the same time, people who chose difficult secret questions had a hard time coming up with the correct response when they needed it. For example, secret questions like ‘what’s your library card number’ or ‘what is your frequent flier number’ are generally very secure but had recall rates of just 22 percent and 9 percent, Google said. In contrast, easier questions like those pertaining to a parent’s middle name had a much higher success rate.
What the research showed, according to Bursztein and Caron, is that answers to security questions are either somewhat secure or easy to remember, but seldom both.
Asking users to respond to more than one question can make it much harder for attackers to break into an account through guesswork, they noted. But it makes things difficult for users as well. Most users for example have little problem remembering the city they were born in or their father’s middle name. An attacker would only have a 6.9 percent chance and a 14.6 percent chance of correctly guessing either in 10 tries and an even slimmer 1 percent chance when confronted with both questions at the same time.
But the ability for users to remember both answers correctly too drops from an average of around 75 percent to about 59 percent. “Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution, as a result,” Bursztein and Caron said.
A more secure approach for website owners may be to use other authentication mechanisms such as one time codes sent via SMS or to secondary email addresses, they said. “These are both safer, and offer a better user experience,” the researchers said.