Google finds security questions are crap because your answers are fake
Apple and other handset manufacturers might be trying to push users to securing their data with biometrics, but the vast majority of services still rely on the good old password. Lots of sites use the idea of memorable data either as a means of locking down accounts, or as a way to gain access to a forgotten password -- the likes of your mother's maiden name, town of birth, favorite color of underwear, and so on.
Research by Google shows that the security question system is failing, and it should come as no surprise that the blame is laid firmly at the door of the likes of you and I. We already know that people are rubbish at picking passwords, but there is also a problem with the answers they provide to security questions. Answers are either too easy for others to guess, or they are made up -- and people are forgetful buggers prone to failing to remember the answers they dreamt up.
As with passwords, the problem with security questions is that a balance needs to be struck between memorability and security. To overcome the problem of being easy to guess or determine (it is, after all, very simple to find out where someone was born, or what their mother's maiden name is), a lot of people simply make up answers to these common questions. Mother's maiden name? Miami Dolphins. Town of birth? Miami Dolphins. Favorite food? Miami Dolphins. Oh yeah... that's the other problem. Just as people have a tendency to use the same passwords again and again, they also tend to use the same made up answers to questions.
Google researchers analysed the password recovery attempts of millions of users and found that a staggering 40 percent of people were unable to provide the correct answers. This ties in with the idea that people are not giving honest answers, as the entire point of a security question is that the answer is supposed to be something unchangeable and unforgettable.
A paper entitled Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google, researchers found that questions such as "what is your favorite food?" or "what is your father's middle name?" were, surprisingly simple to guess. Attackers trying to compromise an account, for example, had a 19.7 percent success rate at guessing a favorite food on the first attempt. The difficulty of recalling data such as one's frequent flyer number or library card number are cited as reasons for people simply making up answers. It appears that those lying with their security answers do so not only to make things easier for themselves, but in the mistaken belief that false information will protect their account more.
The conclusion of the paper is that security questions are, to put it bluntly, crap:
We conclude that it appears next to impossible to find secret questions that are both secure and memorable. Secret questions continue have some use when combined with other signals, but they should not be used alone and best practice should favor more reliable alternatives.
This is the reason given for Google only using security questions as a last resort, relying instead on SMS recovery codes in the case of forgotten passwords.