Google Research Reveals Security Questions's Vulnerability To Attack
Google has just published research which puts the nail in the coffin of security question-based password protection. We like to think that security questions are reliable because the answers are easy to remember, but research shows this isn't the case. Not only are the answers to security questions often forgotten, but they are susceptible to attacks by simply guessing answers. These reasons contribute to the evolution of two-step authentication and SMS-based verification codes for quicker, more reliable password retrieval and authentication.
Although Google's research makes it official, this isn't a newly discovered idea. 40% of English-speaking users simply forget their security answers; whereas, SMS-based retrieval has an 80% success rate. In contrast, the old school security questions with answers that are the easiest to remember are actually the least secure questions. The answer to strengthening security is not in the question "what is the name of your elementary school mascot?" but in alternative recovery methods like phone calls and texts.
According to Google's research, an attacker has an almost 20% chance of guessing an English speaker's answer to "What is your favorite food?" in a single try. The problem extends beyond English as well. An attacker has an almost 40% chance of guessing a Korean speaker's answer to "What is your city of birth?" or their favorite food, within ten tries. Yet, overall, only 6.9% of attackers can guess a birthplace within ten attempts.
When it comes to security questions, Google's advice is not to try to fake an answer. Providing false answers actually makes it easier for an attacker to break through. When websites add multiple security questions, it makes it more difficult for hackers to gain entry, but it also raises the difficulty for users as well, making it a less than ideal security solution.
I remember, even before I had my own email address, I was cautioned to never accidentally reveal my mother's maiden name–which seems as ridiculous now as it did then. Perhaps someone could have used it to access bank records by phone or bypass some analog security method. Now, security has become more complicated–yet more user-friendly, at the same time. It's much easier glance at my phone for a texted verification number than to remember the make and model of my first car.
Source: Google