Right, I’m talking about the ‘secret questions’ that have long been used as a backup mechanism to reclaim accounts (for example if you have lost your password). It’s a pretty common method used by a lot of services, since they are an easy way to provide an extra layer of security. But now a new study by Google actually questions that. The researchers conducting the study claim that their “analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords.”
For the study they analyzed hundreds of millions of secret answers and millions of account recovery claims from Google users and concluded “that in practice secret questions have poor security and memorability […] From millions of account recovery attempts we observed a significant fraction of users (e.g 40% of our English-speaking US users) were unable to recall their answers when needed. This is lower than the success rate of alternative recovery mechanisms such as SMS reset codes (over 80%).”
The security side does not fare much better. If you’d have to guess what an English-speaking user chose for an answer to the question “What’s your favorite food”, pizza would be the way to go: 19.7% apparently have the same taste. In a Spanish-speaking country you’d have a 3.8% success rate at answering the “Father’s middle name” one correctly and with only 10 guesses you would be able guess the answer to “City of birth” for 39% of the Korean-speaking users. The fact that some 37% provide fake answers in order to make them harder to guess is of no help either. Apparently their little trick has the opposite effect since they now answer the questions in a predictable way.
The Google researchers conclude that it is almost impossible to find the perfect secret question: One that is both memorable and secure. Google itself prefers SMS and secondary email addresses to confirm a user’s identity but admits that those are not perfect either.