Why Security Questions Are Useless And Unsafe

This post is more than a year old. The contents and recommendations in this blog could be outdated.

“In what city were you born? What was your first job? Where did you meet your spouse?” Every person who has an online account to use services or apps has inevitably had to come up with answers to security questions.

In theory, they seem to be a great invention: Before you request a new password for your account, the platform must confirm your identity by asking you to recall the answer to a confidential question you have configured upon registration. There is, however, a significant hole in the logic of this security measure: Generally, the questions are ridiculously shallow.

Obviously, you know your mother’s maiden name - but so do your family members, friends, old teachers, ex-partners, and even the staff at your birth hospital. This ironic genericness of these supposedly confidential security questions prompts a reasonable thought: If a random word or name used as a password already takes hackers less than a minute to guess, what does that tell us about the safety of a keyword that is not even random, but a direct answer to a simply searchable question?

This article discusses the shortcomings of security questions as a protection measure and what you can do to make them stronger.  

The risks of security questions

If you have ever heard of the dangers of simple and reused passwords, you might find that common security questions pose a threat for eerily similar reasons: Sometimes, one lucky guess is all it takes for your data to fall into the wrong hands. Upon gaining access to your account, the criminal is free to exploit your sensitive information in any way they see fit: Whether the attacker intends to commit identity theft, obtain your payment information, or hijack your account, any attack on your account could lead to devastating consequences.

In the following few paragraphs, we elaborate on the most important reasons why these questions are deemed unfit for protecting your data.

Easy to guess

One of the most common criticisms security questions face is the false promise that they inquire about confidential information. In reality, they are nothing short of vague and generic facts that are even likely to be identical amongst multiple users.

According to research by Google, just a single estimate could accurately predict an English-speaking user’s favorite food with 20% accuracy. Similarly easy to deduce are the parents' middle names of Spanish-speaking users and the cities of birth of Korean users. Furthermore, the rates of accurate guesses increase significantly for questions with only a few plausible answers, such as “who is your favorite superhero” or “what is your favorite color?”.

At first glance, these probability rates might not seem too alarming, but remember that the previously mentioned statistics only apply to the success rate of a single guess. Accordingly, these numbers exponentially increase with each additional guess the platform allows. Ultimately, most questions can be cracked in 10 attempts or less.

Easy to look up

It might surprise you how much information you can discover about someone by simply scrolling through their social media profile; their hometown, old elementary school, pet’s name – all of which are coincidentally the subjects of the most common security questions. While a seemingly obvious solution to this problem would be to keep our data private on social networks, unfortunately, inference attacks allow approximating sensitive information from a user’s friends.

Moreover, social media is not the only platform where your information may be accessible: As an example, at least 30% of Texas citizens' mothers' maiden names may be inferred from public birth and marriage records.

Social Engineering

Another common method attackers may use to get a hold of the answers to your security questions is to simply ask you. Of course, this manipulative exploitation technique, also known as social engineering, does not involve the criminal literally asking you to give them access to your sacred information: In reality, this process is often so subtle, that you might not even notice the malicious intent behind the conversation.

But how is this possible? Simply put, humans are naturally inclined to trust people they deem harmless, which is unfortunately a trait ill-wishers can easily use to their advantage. Accordingly, when engaging in casual banter with a nice person you matched with on a dating app, it might not seem out of the ordinary if they ask you where you are from. However, what you do not know is that this small piece of information might have just been the key the hacker needed to gain access to your networks and accounts.

Additionally, it is worth mentioning that the malicious method of social engineering is not limited to the cyber-world either; evidently, people might be even less vary of a seemingly harmless converation, when the second party is standing right in front of them. 

Whether the attack is carried out within the framework of a face-to-face interaction or online, the conclusion always remains the same: The victim shares the needed information or exposes themselves to malware. 

Obtainable via a data breach

Sometimes, accessing the answer to your security question does not require a tactical guess or lengthy research; akin to passwords, phone numbers, and other personal information, security questions can get stolen within the framework of a data breach.

An attacker obtaining your security answers is especially a risky, since thousands of platforms are known to recycle the same couple questions with little to no variety. Thus, answering the same questions across multiple social identities may allow attackers to seamlessly access every account with an identical pre-configured query. 

Making security questions safer

Fake Answer

A seemingly obvious solution to the searchability issue is simply using a made-up answer to your selected security question, which other people cannot verify. Whether you want to type out the alphabet as your phone number or give your mother a fake name, the level of obscurity is yours to pick.

However, it is worth noting that this method only works if you can actually remember the fake answer you came up with. Given that 40% of English-speaking U.S. users could not even recall their truthful question answers on demand, it is safe to assume that remembering a made-up one would be even less convenient.

Furthermore, made-up answers sometimes ironically end up being equally easy to guess since many individuals attempt "harden" their responses in a predictable manner. This phenomenon is primarily a result of individuals being forced to think of a random word on the fly, which usually ends up being a common term they have frequently heard. Thus, merely switching from "red" to "blue" as your favorite color will not be worthwhile.

Honest Answer - With a twist

To reduce the probability of you forgetting a fake answer, you could instead just add some little tweaks to a genuine one – similar to what you would do with a weak password. For example, instead of your favorite food simply being “pizza,” it could be “Pizza123!”. While this answer is undoubtedly harder to crack, you must still make an effort to remember the extra characters you added to make this protection measure effective.

Custom question

If the platform allows you to do so, writing your own security question can be a viable way to make your account more secure. Provided that the self-written query is less generic than the selectable ones, of course.

To make sure your custom security question fulfills its duty, it is recommended for them to meet the following five criteria:  

  • Safe: cannot be guessed or researched
  • Stable: does not change over time (f.e. your favorite song)
  • Memorable: something you can easily recall
  • Simple: is precise, easy, consistent
  • Many: has many possible answers

Ditching security questions completely

Whether you get your account hacked because your question was too simple or you cannot access your own account anymore because you forgot the made-up answer, using security questions is not exactly the pinnacle of user experience. Fortunately, more and more platforms are starting to realize the flaws of this outdated protection mechanism.  

While security questions are slowly becoming obsolete, the concept of secure account recovery is still as crucial as ever. Hence, more and more superior alternatives are emerging that can replace not only security questions but also knowledge factor-reliant authentication systems (f.e. passwords) altogether. To ensure more robust protection of your account, you might want to consider using one of the following passwordless options for authentication or account recovery whenever they are available:

  • Possession factors: An object, such as USB Devices (FIDO2-compliant keys), physical tokens, or your smartphone
  • Biometrics: Physical traits (f.e. Fingerprint scanning or Face-ID) or other characteristics, such as voice recognition
  • One-Time-Passwords: A code sent via text message or an authentication app

Liked it? Share it!