What is your mother’s name? And your favorite color? We don’t want to interrogate you, these are the security questions we have to answer in order to recover our password or as an extra step during the identification process.
If we have forgotten our password, after failing all attempts to entering it correctly, the platform asks us one of the questions we chose during the registration process. We know how difficult it is to choose a secure password, different from the last, change it from time to time and, actually, remember it, how can such a simple question protect our account?
A team of researchers from Google have set out to determine whether or not this security strategy really fulfills its mission. To do so, they have analyzed hundreds of millions of questions and secret answers. They have summarized their findings in an article in the twenty-second World Wide Web international conference’s publication.
In short, the authors found that secret questions are not reliable enough, so they don’t serve as the only mechanism to recover the account’s passwords. Although some of the answers are safe and easy to remember, these two characteristics don’t generally coincide. When the answer is so complex that it serves as real protection, memory fails.
On the other hand, the easiest options are usually related to some aspect of our daily life or even of public domain. The main mistake is found here, they can be deduced with the appropriate analysis tools and a little patience.
This way an attacker could figure them out considering a limited set of possibilities. Let’s say, for example, the most common surnames in a country, the most popular dishes, or simply the most common colors (to determine your favorite).
Google’s research provides some significant figures regarding that matter. A ciberattacker would have a 19.7% chance to find out the answer to an English-speaking user to the question “What is your favorite food?” The most common answer is “pizza”. In case of the Spaniards, with 10 attempts there is a 21% chance of guessing right his father’s second name.
We also have news for those who fake their answers to prevent anyone from guessing it. In the study, 37% of people intentionally answer incorrectly questions like “What is your phone number?” Nevertheless, this strategy could backfire, because most end up choosing the same false answers, making it easier for the criminals.
So what is the solution? Choosing a more complicated question? The authors of this study don’t advise it, because the numbers show that we forget them quite easily. Most of those who chose one of the theoretically safer questions didn’t remember their answer.
In particular, only 55% recalled their first phone number, 22% remembered their library card code and an even fewer (9%) their frequent flier number.
Incorporating two or more questions is not a good idea, because, according to the experts at Google, this would complicate the recovery of the account. If users cannot remember one, hardly they would even more.
The only solution is to use other authentication methods, such as access codes sent via text message to your cell phone (two-step verification) or an alternative email address. The authors of this research describe these two methods as “safer” and ensure that they offer a better user experience.