PhotoIf you think those identity-verification security questions actually keep your data secure, think again — a study by Google researchers shows most typical security questions fail on one of two levels: Hackers can easily guess the answers, while the actual account owners are likely to forget them.

Google anti-abuse researcher Elie Burzstein and software engineer Ilan Caron posted on Google's security blog last week a summary of a more detailed paper they'd presented at the WWW 2015 conference.

… secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember — but rarely both.

Downright useless

Turns out that certain easy-to-remember security questions are also downright useless, although which specific questions prove useless vary throughout the world:

With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question "What is your favorite food?" (it was ‘pizza’, by the way)

With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking users’ answer to the question "What’s your first teacher’s name?"

With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question, "What is your father’s middle name?"

With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question "What is your city of birth?" and a 43% chance of guessing their favorite food.

Of course, companies could offset such problems by adding more, and harder, security questions, but that would lead to the exact opposite problem: Too many legitimate account holders would forget the answers, and be unable to recover their accounts.

Surprise, surprise: it’s not easy to remember where your mother went to elementary school, or what your library card number is! Difficult secret questions and answers are often hard to use. … 40% of our English-speaking US users couldn’t recall their secret question answers when they needed to.

So what can tech companies do to protect their customers from this question conundrum? Probably nothing, as Burzstein and Caron said in the abstract of their research paper: “We conclude that it appears next to impossible to find secret questions that are both secure and memorable.”

Share your Comments