Account recovery via secret questions is a bad idea
Secret questions offer far lower security than user-chosen passwords, and should never be used as the only way to reclaim access to a lost account, Google researchers have confirmed.
After having examined a large, real-world data set on personal knowledge questions, they found that users are having trouble remembering the correct answers.
One reason for this is that the answers to some of these questions change as time goes by. For example, the success rate for the question “Favorite Food?” is 74% after a month, 53% after 3 month and 47% after a year.
Another reason is that users often provide untruthful answers to secret questions in an attempt to make them either harder to guess or easier to remember. “Ironically of course, this behavior achieves exactly the opposite effect,” they noted.
They also discovered that answers to safer questions are more difficult for users to recall – safer questions being those that need an answer that is unlikely to be guessed or found online by attackers (for example, the user’s first phone number instead of his or her father’s middle name).
There are other problems with security questions: a lot of them have common answers, a few plausible answers (e.g. “Who is your favorite superhero?”), or publicly available answers (e.g. the information can be found in publicly available records or is provided by the users themselves on their social media accounts). This makes them easy for attackers to guess and find.
Social engineering users or their family and friends to provide the answers is also often done.
“It appears next to impossible to find secret questions that are both secure and memorable,” the researchers concluded. “Secret questions continue have some use when combined with other signals, but they should not be used alone.”
SMS or email reset codes are far better recovery mechanisms, they pointed out.