Future Tense

Your Online Security Questions Probably Aren’t Doing Enough

Security questions are just onerous.

Graphic from Google

Setting up a new online account often involves choosing and answering security questions. Where did your parents meet? What was the name of your first pet? And the classic: What is your mother’s maiden name? You’ve probably experienced how annoying these questions can be. Either your answers seem pretty easy to figure out or you choose questions whose answers are too tough for you to remember. A new study from Google shows that—surprise!—this tension is exactly what makes security questions problematic.

Researchers analyzed hundreds of millions of security questions and answers from millions of Google account recovery attempts. (Your personal data at work!) They found that answers are often pretty easily guessable but that when a service asks multiple questions to strengthen security, users are less likely to successfully recover their accounts.

For example, attackers could answer “What is your favorite food?” in one try 19.7 percent of the time. (Pizza, duh.) But with a stronger question like “What is your first phone number?”, users could only successfully recall their chosen answer 55 percent of the time.

With a number of questions, like “What is your father’s middle name?” for Spanish speakers, the researchers also calculated how likely an attacker would be to guess the answer after 10 tries (21 percent chance in that case). Many websites limit the number of tries to three or four to try to eliminate this extensive guessing from a bad actor. But that doesn’t mean the same attacker couldn’t continue guessing on a different account that asks the same security question.

“Secret questions have long been a staple of authentication and account recovery online. But, given these findings its important for users and site owners to think twice about these,” the researchers wrote. They suggest that site owners implement other recovery approaches, like authenticating through a secondary email address or texting codes to a cellphone.

Security questions aren’t useless, but you probably already knew intuitively that they had drawbacks. It’s nice to see some research back that up.