Despite the widespread popularity of security questions as an added layer of password-based security, a study by Google suggests secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.
The findings suggest users' answers are either somewhat secure or easy to remember, but rarely both.
With a single guess, an attacker would have a nearly 20% chance of guessing English-speaking users' answers to the question, "What is your favorite food?" That turns out to be pizza, naturally.
"Secret questions have long been a staple of authentication and account recovery online," Elie Bursztein, Google's anti-abuse research lead, and Ilan Caron, a Google software engineer, wrote on the company's Online Security blog. "But, given these findings it's important for users and site owners to think twice about these."
In addition, 40% of Google's English-speaking US users couldn't recall their secret-question answers when they needed to.
These same users, meanwhile, could recall reset codes sent to them through SMS text messages more than 80% of the time and through email nearly 75% of the time.
A user's father's middle name and the city where the user were born are among the most popular security questions on offer, which would give hackers a 6.9% and 14.6% chance to correctly guess the answers within 10 tries.
The problem is a worldwide issue: The study found, for instance, an attacker would have a 39% chance of guessing Korean-speaking users' answers to the question, "What is your city of birth?" and a 43% chance of guessing their favorite food.
Hackers would also have a pretty good chance at figuring out answers in Arabic- and Spanish-speaking countries.
The convenience of an easy-to-remember answer dilutes the effectiveness of the concept and has found little traction among users.
The report noted that some of the potentially safest questions, such as inputting a library card number or a frequent flyer number, have only 22% and 9% recall rates.
Bursztein and Caron strongly encourage Google users to make sure their Google account recovery information is current, which can be done using the company's Security Checkup feature.
"For years, we've only used security questions for account recovery as a last resort when SMS text or back-up email addresses don't work and we will never use these as stand-alone proof of account ownership," the post noted.
[Read about bots taking over the world.]
Google suggests that site owners should use other methods of authentication, such as backup codes sent through SMS text or secondary email addresses to authenticate their users and help them regain access to their accounts. These methods, it says, are safer and offer a better user experience.
Roughly a year after the discovery of the Heartbleed security bug, which affected more than 500,000 websites and dominated national news for weeks, a survey of 2,000 American adults indicated public awareness and knowledge about online privacy, security, and protection was still below the level at which it should be.
[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin. View Full Bio