Google: Security Questions Aren’t Quite Secure

Security questions are predominantly used and found on the internet but predate the internet to begin with. Questions such as “What is your mother’s maiden name?” is a common security question used during phone verification, bank verification in person etc. Google notes that these security questions aren’t secure and all too vulnerable for hackers, which is cause for concern with their widespread, mainstream usage.

The main problem with these questions, Google say, is that they’re either very easy to remember or hard to guess, but rarely both. These were the findings in a research paper presented recently in Italy, by Google.

Easy fillings

In doing research into how hard it was to guess answers to questions used as security checkpoints set up to grant access to online accounts, here was a considerable amount of insecurity found, Google researchers said.

“Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords,” said a peer-reviewed paper presented last week at the International Conference on the World Wide Web in Florence.

“Surprisingly, we found that a significant cause of this insecurity is that users often don’t answer truthfully.”

In the paper, it was determined that the most common fake answers are far too easy and predictable compared to the most common real answers for fundamental facts such as surnames. Moreover, answers written as “I don’t know” or “Don’t have one” were strikingly ineffective.

Flawed, ineffective questions

The lead author of the paper, Joseph Bonneau, now a post-doctoral researcher at Stanford University after leaving Google stated that researchers never had much faith in security questions being very secure but the motivations of the paper was to asses and “pout out in black and white exactly how insecure and unreliable” the questions were.

In order to achieve this, the team looked at just how simple and easy it was to guess the answers to security questions in Google accounts in the past five years. Another task they set out upon was to identify the best security questions possible – those that got users to come up with answers both secure and memorable. The result wasn’t all too reassuring.

“Nothing we looked at was good on both counts,” he said. “If there is some question out there that will manage to do both things at once, Google wasn’t able to find it.”

Quick tips to circumvent ineffective security

With the published paper, Bonneau makes a few fundamental recommendations.

  • Steer clear and avoid fake, generic, and easy to remember answers like “Don’t have one or I don’t know.”
  • Use alternative security features, such as registering your phone number to your Google account and getting Google to send an account recovery code to the phone.