Secret Question Mechanism For Password Recovery Is Weak & Very Risky: Google
Google has conducted one of the most in-depth research and investigation into the ‘security question’ mechanism devised by websites to secure user’s accounts and the results are pretty interesting and scary. As per their findings, having security questions as an added layer of security and as a medium to recover forgotten passwords is less secured and more prone to hacking.
In fact, they have concluded that “secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.”
A team from Stanford University and Google collaborated to analyze their data of hundreds of millions of security questions and millions of attempts to recover their passwords and found that the whole method is riddled with flaws and vulnerability. In fact, if you are from USA, and you have set the security question as “What is your favorite food”, then attackers will have 19.1% chance of hacking your answer in the first attempt. (Its Pizza, by the ways..)
Google introduced the feature of security question as an added layer of security for all Google users in 2013. Along with verification of the phone number, providing answer to the security question was mandatory to recover the account password or in case of suspicious log in from a different IP address.
The Paradox of Security Questions
Researchers found that there are mainly two reasons this protocol of security question doesn’t work as effectively they wished they could:
- The answers are too easy to remember; hence attackers will guess it easily
- The answer are too difficult to remember; hence the genuine user fails to recall them
It seems there is no middle ground to this problem!
Another set of users (37%) deliberately input false answers to their own security question, which makes it even more difficult to recover because the person usually forgets that answer.
And even if the answers are genuine, 40% of Americans fail to recall the answer during recovery session.
Easy Questions: Hacker’s Delight
The report specifies some common questions which are implemented by their users, and showcases how vulnerable they are. For example:
- “What is your first teacher’s name?” If the user is from Arabic-speaking country, then the hacker has 24% chance of guessing the correct answer within the first 10 guesses
- “What is your father’s middle name?” If the user is from a Spanish-speaking country, then the hacker has 21% chance of guessing the correct answer
- “What is your city of birth?” In case the user is from a smaller country such as South Korea, then the hacker can guess the right answer 39% of time, within the first 10 guesses
Most Effective & Least Effective Questions
The study went to extremes, and derived that:
- “What is your Frequent Flier number” has a recall rate of just 9% among English speaking users
- “What is your father’s middle name” has a recall rate of 76%, by far the highest.
But again, as per the paradox, the very few people will be able to recall the answer to the first question, and almost everyone (including the hacker) will be able to crack the answer to the second question.
The Way Forward
One of the suggested ways is to increase the number of security questions, which drastically reduce the chances of being hacked. But Google said that they deliberately added only one question in their process, because over-burdening users with more answers led to failed recovery of passwords. And their accounts get impounded forever.
The most practical and feasible solution which the research paper concludes is that the mechanism should have a healthy mixture of SMS, alternate email and security question protocol to safeguarding the account.
As per the study, SMS based password recovery attempt has a success rate of 80%, by far the highest, and alternate email is 75%, again way better than the security question protocol. Yes, there exists miniscule cases when the user’s mobile is not working (he can be in a foreign location or out of coverage) or in rare cases when he forgets the password of the alternate email as well.
But yes, if we leave aside these minority cases, then SMS and Email based security is the best performing protocol right now. We may see decline in the usage of security questions in the coming days.
You can access the Google report titled “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google” here.
What is your favorite method of securing your account? Security question, password, SMS or alternate email?