New research: Some tough questions for the "Security Questions"

What is the name of your first pet?

What is your favorite food?

What is your mother's maiden name?

What do these seemingly random questions have in common? They are all common examples of "security questions." Chances are you've had to answer one of these before; many online services use them to help users regain access to their accounts when they forget their passwords or as an additional layer of security to protect against suspicious access..

Despite the widespread use of security questions, their effectiveness and security have rarely been studied in depth. So, as part of our ongoing efforts to improve account security, we analyzed hundreds of millions of secret questions and answers that were used by millions of Google account recovery requests. We then measured the likelihood that hackers could guess the answers.

Our results, summarized in a research we recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to use as a standalone account recovery mechanism. This is because they have a fundamental flaw: their answers are either secure or easy to remember, but rarely both.

Easy answers are not safe

As expected, easy-to-remember answers are less secure. Easy answers often contain common or publicly available information, or are in a small set of possible answers due to cultural reasons (e.g., a common surname in certain countries).

Here are some specific findings:

With a single guess, an attacker would have a 19.7% chance of guessing the answer - for English-speaking users - to the question: "What is your favorite food? " (it was "pizza ", by the way).
With ten guesses, an attacker would have a nearly 24% chance of guessing the answer - for Arabic-speaking users - to the question, "What is the name of your first teacher?"
With ten guesses, an attacker would have a 21% chance of guessing the answer - for Spanish-speaking users - to the question: What is your father's middle name?"
With ten guess attempts, an attacker would have a 39% chance of guessing the answer - for Korean-speaking users - to the question, "What is your hometown?" and a 43% chance of guessing their favorite food.

Many different users also used identical answers to secret questions that we normally expect to be highly secure, such as "What is your phone number?" or "What is your frequent flyer number?". We probed this in depth and found that 37% of people provide - intentionally - false answers to security questions, thinking they are more difficult to guess. However, this backfires as people choose the same (fake) answers, increasing the likelihood that an attacker can guess them.

Difficult answers are not practical

Surprise, surprise: it's not easy to remember where your mother went to elementary school or what her library card number is. As a result, tricky secret questions and answers like these are often difficult to use. Here are some of the specific findings we found:

Forty percent of our U.S. English-speaking users could not remember the answers to their secret questions when they needed to. However, these same users were able to recall the reset codes that were sent to them via SMS text message more than 80% of the time and via email almost 75% of the time.
Some of the potentially safest questions - "What is your library card number?" and "What is your frequent flyer number?" - they could only remember 22% and 9% of the time, respectively.
For U.S. English-speaking users, the simplest question, "What is your father's middle name?" had a 76% success rate at recall, while the potentially more certain question, "What was your first phone number?" had only a 55% success rate.

Why not add more secret questions?

Of course it is more difficult to guess the correct answer to two (or more) questions instead of just one. However, adding questions also comes at a price: the chance of people getting their accounts back is significantly reduced. We did some further analysis to illustrate this idea (Google never actually asks multiple security questions).

According to our data, the "easiest" question and answer is "What city were you born in?" - users remembered this answer more than 79% of the time. The second easiest example is "What is your father's middle name?", which was remembered by users 74% of the time. If an attacker had ten guessing opportunities, they would have a 6.9% and 14.6% chance of guessing the correct answers to these questions, respectively.

However, when users have to answer both together, the margin between security and usability of secret questions becomes increasingly slim. The probability that an attacker can guess both answers in ten attempts is 1%, but users will remember both answers only 59% of the time. Adding more secret questions makes it harder for users to recover their accounts, so it is not a good solution.

The next question is: What to do?

Secret questions have been a staple of account recovery and online authentication. But, given these findings, it is important for users and website owners to think twice about this.

We encourage Google users to make sure their account recovery information is current. They can do this quickly and easily at our security check. We now only use account recovery security questions as a last resort when SMS or recovery email addresses do not work and never use them as sole proof of account ownership.

In parallel, website owners should use other authentication methods, such as SMS security codes or secondary email addresses to authenticate their users and help them regain access to their accounts. These are more secure and offer a better user experience.