14 DAY TRIAL // Security questions as a standalone method for recovering access to accounts is not an efficient model, researchers at Google discovered after studying users’ rate of success recalling the right answer and how guessable they are.
The study relied on a dataset of hundreds of millions of secret answers and millions of account recovery requests.
Easy answers are not secure, difficult ones are not memorable
Striking a balance between secure secret questions and memorability of the answer is the main issue highlighted by the researchers. Answers to strong questions that have a low chance of being known by an unauthorized third party proved that they were difficult to remember.
Given the amount of personal information online, some users resort to setting fake answers in order to increase security, but Google found that this is a false perception because, in many cases, they follow a predictable pattern, making them easier to guess.
If the user set up a truthful answer, according to statistics provided by the researchers, in 19.7% of the cases, an attacker would need a single try to guess the correct answer to the question “What is your favorite food?” in the case of American users.
“With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question ‘What is your city of birth?’ and a 43% chance of guessing their favorite food,” the researchers reveal in their report.
Security questions alone are not the answer
Solving the issue is not a tough nut to crack, and Google researchers recommend site owners to implement alternatives that would be more efficient.
As per their findings, the recovery mechanism based on reset SMS codes recorded a success rate of 81%, while the method relying on backup emails proved to be efficient in 75% of the cases.
The researchers acknowledge that no mechanism is perfect on its own. The SMS-based method fails if the user does not have access to the phone for legitimate reasons. However, combining them would lead to improved protection of the accounts against hijacking attempts.