Google says security questions on accounts are “neither secure nor reliable enough” to use in cases of forgotten passwords. It’s urging other firms to follow its lead by making such questions solely a last resort.
In a paper presented this week at a World Wide Web conference in Italy, five Google researchers detailed their study of Google users’ security questions over the past five years and their attempts to use them to recover login details. They also looked at the details of previous studies.
Their main conclusion was that there’s no sweet spot for a security question: either it’s too hard to remember or too easy to guess. For example some questions such as “Who is your favorite superhero?” have only a limited number of common answers. Others have some very dominant answers: Google says that if you try to access an English speaker’s account and answer “What is your favorite food?” with “pizza”, there’s a 19.7 percent chance you’ll be correct.
The researchers also found that people who make up bogus answers may actually be less secure. While 37 percent of people do this, for some types of question such as frequent flyer number or first phone number the answers are much less evenly distributed than would be expected. That strongly suggests people who make up an answer are more likely to choose something predictable. (I’d guess there’s a lot of 555s and variations on 69 out there.)
On the flipside, some questions are simply too hard. Only 55 percent of people asked to do so could successfully recall their first phone number (or at least the number they provided.) Even the two easiest question covered by the study, namely your city of birth and your father’s middle name, only got correct answers on 79 percent and 74 percent respectively. Across all questions, people only averaged a correct answer 60 percent of the time.
(That may not be a case of such information being hard to remember, but rather a combination of people forgetting which bogus answer they provided and people struggling with phone keyboards and shaky autocorrect.)
The research also suggested that simply making people answer more questions to be “doubly safe” is a bad tradeoff of convenience and security. Even where the imaginary hacker was allowed 10 guesses, it would be possible to guess the birth city in only 6.9 percent of cases and father’s middle name in 14.6 percent of cases. Asking both questions would reduce that rate to 1 percent: a big proportional drop, but not a major difference in practical terms as it’s going from “highly unlikely” to “almost impossible.”
However, asking the average legitimate user to answer both questions — the two “easiest” to remember — would reduce their the success rate to just 59 percent.