Security questions are not a safe as we expect, which makes me a even more scared about “bank-level security” since they use this all the time. If you’re innovating in cyber security, check out this new study regarding the security of personal knowledge verification from Google.
Security, or secret, questions are worse than passwords for low levels of security. It turns out users (37% of them) provide fake answers to their security questions. This attempt to make them “harder to guess” actually made it easier to guess because people make up answers in a predictable way.
We seem to be that predictable. Questions should be more secure since each user will have a different answer (e.g phone number). In reality, distribution isn’t flat because people provide untruthful answers, which tend to be the same guesses as others. We’ve seen this trend before.
And even if we aren’t making up the answers, there are also a lot of common answers shared among many users. A hacker has a 19.7% success rate at guessing the answers to the question “What’s your favorite food?” With a single guess the hacker would have a 3.8% success rate at guessing Spanish-speaking user’s answer for the question “Father’s middle name?” or a Korean-speaking user’s answer to “City of birth?” And it’s similar percentage whether we’re talking Frequent Flyer numbers or Russian phone numbers.
What’s Your Favorite Restaurant?
When we do tell the truth, we won’t remember anyway. Users don’t seem to remember there response after the first 72 hours. I went through this recently with AT&T. It was 10 years (or more) since I created my account. My favorite restaurant then was long gone from my current day preferences. The success rate for the question “Favorite Food?” is 74% after a month, 53% after 3 month and falls under 50% before a year has passed.
Forty (40) percent of our English-speaking US users were unable to recall their answers when needed. Significantly is lower than the success rate of alternative recovery mechanisms such as SMS reset codes (over 80%).
The data shows it’s next to impossible to find security questions that are both secure and memorable.
SMS and email recovery are currently deployed and continue to perform well, though my experience suggests SMS carries its own obstacles in the form of consumer adoption.
Other alternatives include “preference- based authentication” where users choose a number of items (16 is recommended) which they strongly like or dislike from a large set of items from “rap music” to “vegetarian food.” These preferences are claimed to not exist in online databases or public records. The downside is it requires considerably more time to enroll users and authenticate them than individual questions which limits its use.
Graphical passwords, like recognition-based schemes in which a user identifies previously-seen images from a set of candidates. Such schemes can be designed with firm security guarantees as the user’s set of images is randomly chosen. However, while there is evidence that such schemes are more memorable than text passwords, they still require additional user training compared to personal knowledge questions and have not seen significant deployment.
The rest of the options are not practical from an implementation or long-term value proposition. Social media methods are at risk from the nature of the public data, and technologies like face recognition software. An attempt at selecting a set of trusted friends to act as delegates to vouch for a user are just too complex and intrusive.
The authentication system is clearly broken. Innovative solutions are slowly emerging that offer consumer friendly approach while adding additional layers of security. It will be interesting to see what the real break through is.