Can anyone just guess my security questions?

Add to my custom PDF

Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google

When a user forgets their login information, there must be some way to verify their identity and reset their account. For this verification, some platforms rely on a set of personal knowledge questions such as asking one’s father’s middle name, favourite food, place of birth etc. The questions and answers are defined by the user when they open the account. To regain access to the account, the user must provide answers that match the responses given initially. Although the questions are by nature personal, the answers selected by the user are neither unique to the individual nor immune to guessing. Some questions have common answers, which increases the likelihood of success of mass guessing attacks.

Bonneau et al. examined how security questions are used in Google accounts, to investigate the tradeoff between security and memorability. To study security, the distribution of `hundreds of millions` of actual user secret answers was used to compare the range of user responses to the real-life distribution of accurate answers. To study memorability, data on 11 million account recovery claims from 2013 was used to evaluate the success of personal questions in account recovery. An important aspect of this particular research is methodological; this study had the benefit of data from Google that shows the actual answers given by real-world users, from which the researchers could see which responses recurred. Further, by comparing their real-world data with crowd-sourced information this study has shown that crowdsourcing gives a reasonably accurate approximation of the distribution of actual answers. This means it is possible to crowd-source the most statistically likely answers to personal questions.

The security of personal knowledge questions concerns the frequency of the most commonly provided answers. Some responses are naturally common, especially among some linguistic groups or in a given country. For example, some names are highly popular among Spanish-speakers, perhaps even more so than the most popular names among Anglophones. Similarly, birth city may be heavily skewed in highly urbanized countries with a few large centres; 39% of Korean speakers claim the same city of birth. In other cases, answers are common because users have provided fake answers. Consider responses to the prompt “first phone number”. The real-life distribution of phone numbers dictates no two identical answers. However, almost 3% of the Arabic-speaking respondents provided the same phone number. As this example illustrates, providing false responses actually decreases the security of the personal question; with a single guess, an attacker could successfully hack that 3% of Arabic accounts.

Low memorability means low reliability for successful account recovery. The personal knowledge questions are not a useful tool if the user cannot remember the answers. At best, personal questions provide less than 80% successful recovery for all questions; the rate of successful recovery decreases over time, so the more time elapsed since the questions were set the less likely the user is to remember. Other ways show more promising results. SMS and email-based account recovery increase successful recovery over the personal question method by 20% and 14.5% respectively.

Balancing phrase memorability and security is an open question. Given the limited success with personal knowledge questions, other methods should be explored for more efficient account recovery.

Personal security questions for authentication have a large number of failings and other methods should be explored for more efficient account recovery.