A study recently published by Google suggests that security questions are actually no good at protecting user accounts, quite the contrary. While the easier answers can be very easily guessed even by an amateur hacker, the complicated ones are very difficult to remember.
Google conducted an extensive study during which hundreds of millions of questions and answers were analyzed. The conclusion was that “secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.”
Apparently, people who use security questions to help them recover their accounts are faced with one of two undesired outcomes. Either the private information can be easily exposed – when the question is too easy to answer – or users are unable regain access to their own accounts – when the answer is so complicated that not even they can remember it.
Google offered plenty of statistics to support their findings. For instance, pizza is one of the likely answers to the facile “What is your favorite food?” question, as it was chosen by about 20 percent of the subjects in the study. Results don’t show much promise when it comes to other similar questions.
For instance, if an attacker is persistent enough and tries at least ten times, there is a very high chance he will guess the correct answer in most situations. Your first teacher’s name will be guessed 24 percent of the time, while your father’s middle name can be exposed in 21 percent of the cases. The matter gets even more complicated when the answer is public knowledge, such as your city of birth.
Google then tried to solve the dilemma by determining if security questions are more effective when coupled together. If two easy questions were to be used instead of a single one, the exposure risk would decrease dramatically, and attackers would be able to breach the accounts in only 1 percent of the cases. However, the procedure would get so complicated that not even the users themselves would be able to successfully recover their accounts.
The study showed that the recall rate of a single simple answer is relatively high, as almost 80 percent of Google users remember their answers without much trouble. The same thong does not apply when they are asked to answer two different questions. Google suggests that user recall rate in case of multiple questions is just over 50 percent, which pretty much renders security questions useless.
So, if it’s easy, then it’s easy for everyone. If things get complicated, then you might find yourself locked out of your own account. Security questions will probably become a thing of the past soon, as there are more effective ways of protecting data currently available. Take, for instance, a fingerprint scanner. Or simply add a pin. It may not be much, but it’s way easier to remember.
Image Source: Perimeter USA