The main problem with security questions is that they’re either easy to remember or hard to guess, but very rarely both, according to a research paper Google recently presented at WWW 2015.
Google has a unique advantage when it comes to studying this subject, as it has access to a huge amount of data. A team of researchers analyzed “hundreds of millions” of questions and answers that had been used for Google account recovery claims, according to a post on the Google Online Security Blog.
The researchers found that many of the most common questions could be answered correctly within ten guesses, with a success rate between 21 and 39 percent, depending on the question. With a single guess, an attacker had a nearly 20 percent chance of guessing the answer to the question “what is your favorite food?” The usual answer? Pizza.
You may have seen advice that answering security questions with “wrong” answers is a better tactic, but Google’s researchers found that this often backfired, making the answers not harder but easier to guess, as many third parties choose the same false answers.
The problem is compounded by the fact that answers that are more difficult to guess are also more difficult to remember. Research shows that using two different security questions reduced an attacker’s chance to correctly guess the answer within ten attempts to less than one percent, but that users only remembered the answers to both questions 59 percent of the time.
So what are we supposed to do? Google proposes avoiding security questions entirely, using backup codes sent via text message or other forms of two-factor authentication instead. It isn’t as easy, but it is more secure.
For more information, see the full paper, enticingly entitled Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google, which is available for free on Google Research.
