CBC News reports how Google researchers, led by Joseph Bonneau, examined public usage of “secret” security questions. These are used by nearly all websites online as a safeguard for the “reset my password” option. You cannot reset your password until you’ve supplied some information that, supposedly, only you would know.
Unfortunately, the security questions offered normally have answers which anybody close to you would already know. “Pet’s name” and “favourite movie” are probably common knowledge while the better ones like “mother’s maiden name” can still be obtained online. It seems as though many people have now realised this though, leading to a new issue: people faking answers.
The Google study was created with the aim of showing “in black and white exactly how insecure and unreliable” security questions answered. The team hoped to identify the best possible security questions as well as the worst by analysing their usage on Google’s own platform.
They found that many people use fake data where possible but that this is actually more exploitable than the real data. The researchers found that many accounts were protected by security data including “Don’t have one” and “I don’t know”, providing a simple vector for any attacker to try and gain access to an account with.
Worryingly, Bonneau concludes “If there is some question out there that will manage to do both things at once [be secure and memorable], Google wasn’t able to find it.” It does appear as though security questions aren’t suitable for use in the modern Internet and that alternatives must be found.
Bonneau advises that users should try not to use obviously fake answers such as “I don’t know”. Where possible and with supporting services, two-factor authentication should be enabled instead of security questions. This uses your phone to generate a unique security code for you and is available on a growing roster of platforms, including Google.