Google Study Shows Security Questions Aren’t All That Secure

What is your favorite food? What was your first teacher’s name? What’s the name of your first pet? Do those questions sound familiar to you? If they do, it’s probably because you either have really boring and repetitive conversations or you’ve answered them as security questions when you signed up for a new account somewhere. They’re meant to provide an extra layer of security, but according to a new study by Google’s security team, they aren’t all that secure.

Looking at ‘hundreds of millions’ of these questions and their answers from Google users who tried to recover their accounts, the team concluded that “secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.” That’s because they are either too easy to remember (and hence to guess) or too hard to remember (and hence easy to forget). There doesn’t seem to be much of a middle ground.

Chances are, for example, that when you try to guess what an English-speaking user said was his or her favorite food, guessing pizza would get you a long way (almost 20 percent of Google users apparently used this as their answer). Using 10 guesses, there’s also a 21 percent chance of guessing a Spanish speaker’s father’s middle name. In a country where most of the population lives in a few very large cities, chances are you can also quickly guess where they were born (think South Korea, for example).

Screenshot 2015-05-20 at 19.17.13

It also turns out that 37 percent of users simply fake it to make their live easier. Google found, for example, that many users would provide the same answer for questions like ‘What’s your phone number?’ and ‘What’s your frequent flyer number?’ even though those are most likely completely different.

In total, 40 percent of English-speaking users in the U.S. couldn’t recall their questions at all. People who actually used the frequent flier question, for example, only remembered the right answer in 9 percent of cases.

So if one question is easy to guess, the logical next step would be to add more questions, which some systems do. That makes it harder for attackers to guess them correctly, but then the chances of the user also recalling both correctly drops, too.

Google’s researchers argue that site owners should use SMS backup codes, secondary email addresses and other means to securely authenticate users and only use these questions as a method when everything else has failed.