We’ve got an entire series of blogs about the importance of empowering and educating your end users about security, and today I’m going to open up a dialogue with a message that is becoming increasingly popular: security questions are not secure. At least, that is the trending belief right now. Honestly, it isn’t that hard to see why. Think about it like this: When it comes right down to it, having the strongest armor in history won’t do much good if the knight in question doesn’t know how to put it on properly. One slip up can mean the difference between deflecting an attack, and a blade that slips right between the ribs. If security questions are the added layer of armor, and you aren’t using them correctly, then security questions are not secure.
We’re not the only ones who see this as an issue, either. Google, the ever-present search engine giant, has released a report on their online security blog about the vulnerabilities inherent in today’s security question market. More specifically, Google determined that security questions are “…neither secure nor reliable enough to be used as a standalone account recovery mechanism.” With digital security evolving the way it has been in recent years, the push for additional factors and more ‘hack-free’ security is now more forceful than ever. That brings me to my major point of issue with security questions, and what Google seems to point out as their fundamental flaw: the paradox of security and usability. We choose simple answers to avoid the frustration, while still hoping to maintain that extra level of security.
The Problem with Insecure Security Questions
So, let’s break this down, shall we – why does Google and everyone else seem to think that security questions are not secure? It’s really not too difficult to see. Go ahead and try to reset one of your e-mail passwords. It doesn’t really matter which one.
Go ahead, I’ll wait.
Chances are, you are going to be asked to take various actions to verify your identity, such as using a previously set up secondary verification mode (SMS or e-mail verification) or by answering some preconfigured questions about your personal life. If you get the option for the latter, the screen you see will undoubtedly look something like this:
Picture Courtesy of Apple.com
Immediately upon seeing the security questions, you think: Great, now which answers did I choose four years ago when I set this up?
That’s the beginning of the problem: the relationship between memory and recall. What ends up kicking us when we are down is the way we pull this information to the surface when we need it. Carolyn Jewel has a nice little Rant about Security Questions that illustrates the frustration pretty neatly. Particularly speaking, Carolyn makes a fine point about halfway through her article in stating: “…now the right answer is a LIE.”
That is sort of chilling; thinking that what is true can be false by virtue of time. Unfortunately, that’s the case with security questions. They focus primarily on what is true during the creation of the security question answers, without any regard for how those answers may change in the future. Of course, you almost always have an opportunity to change your answers, but you rarely think of it until you actually need to.
So what do we do to combat this issue, as end users who value convenience and simplicity on our end? We choose simple answers that we will remember no matter what, even if they don’t really make the most sense with the question being asked.
Case in Point – Sure, it might not be our favorite food per se, but we all love pizza,. When asked the question, ‘What is your favorite food?’ vast majorities of people choose pizza as their answer. The logic is quite simple to follow: hey, I’ll remember pizza, no matter what. If you follow this solution, however, you run into a slightly big problem: you are not the only one who thinks that way. That’s part of the reason that security questions are not secure – human nature has broken them down. Well, human nature and ruthless attackers.
But, why do we even need a solution in the first place? What makes remembering something like the accurate answer to a security question such a big deal?
Despite everything else, the brain is part of the issue when it comes to remembering information specific to ourselves over large spans of time. It is important to understand how the brain works throughout all of this. Even if you have absolutely perfect memory, just short of photographic, can you truly be expected to recall the answers to the questions you submitted years ago? In all honesty, the answer is quite simple:
Ashish Ranpura over at Brain Connection equates the way we remember information to a more easily accessible image, geography. “…the physical stuff we’re made of reflects our history like mountains reflect geologic eras.” What we’ve got inside of us, inside of our brains, changes over time. How we live directly effects how we remember all of the events that have transpired in our own personal history.
Just as one near-fatal battle can forge a stronger warrior, the events of your existence transform how your brain draws upon those experiences for use in the future. Each security question comes preconfigured to ask you something personal about yourself to verify who you are at one moment in time. We are each of us the sum of our parts, and modern security has yet to take that into account for a more secure login.
What’s more, security questions are almost invariably vague. I mean, seriously, just look at some of these:
Picture Courtesy of blogs.gartner.com
The answer to any given security question can almost always be one of at least two or more different choices. Even such questions as ‘What was the name of your high school’ or ‘ what was the name of your first pet’ can have various answers for one person.
If I moved around a lot and attended three different high schools, how do I know which one I put for my answer on site A? Sure I had 3 cats and a dog growing up, and my mom brought them home around the same time, which was my first pet? Or maybe I put the first pet I owned after getting my own place?
There are so many choices because the questions are so vague to begin with. It’s no real surprise that Google and others equate security questions to the same weakness that they give passwords in our current digital age. If we admit that weakness, it’s terribly simple – security questions are not secure. It’s an unfortunate truth, it seems.
Of course, some of these annoyances are there specifically to deter attackers, and make it harder for hackers to break through your secure front door. That’s perfectly fine in theory.
Yeah, I said it. In theory.
In practice, the reality is anything but perfect, or even ‘fine’ by normal security standards. Google’s Report, Secrets, Lies, and Account Recovery, indicated that depending on the language of the user and the number of guesses (typically between one and ten), attackers often had around a 20% success rate to straight up guessing the correct answers to standard security questions. Now sure, 20% seems rather low, but that’s really one in every five.
One in every five.
That is how likely an attacker is to break through your front lines if there is nothing but a standard security question between them and their end-goal. It’s like bolstering the front line with a hoard of untrained swordsman when you’re battling an army of trolls and orcs. Sure, they might stop a large handful of them, but the ones who get through are going to destroy your city before your army even knows what happened.
It brings us back to the paradox again, as is the nature of the issue. Security questions are not secure because we all crave simplicity and ease of use over frustration.
Convenience is just something that we all desire throughout the layers of our protection. We want things to be easy, but we fail to realize that what makes it easier for us, makes it easier for those who want to break in.
The Weakest Link – Security Questions Are Not Secure
So aside from the complexity of answering the questions correctly in a timely manner, what is the real issue here? You’re probably thinking: If I don’t choose simple answers and I actually make an effort to pick answers specifically to me and nobody else, won’t that keep me with a strong, secure login?
I hate to play devil’s advocate here, but the issue with weak security questions is the same as the issue with weak passwords. Take a look at what Symantec has to say about strengthening your security: “…it is alarmingly easy for hackers to obtain personal information about prospective targets. As such, it is strongly recommended that users not include such information in their passwords.” The same can be said about security questions. They rely heavily on personal information, which hackers are already trained and comfortable with obtaining. There isn’t much point putting a padlock on the front door if the same pick opens both locks. All it takes is access to one, and the other is nothing more than a slight nuisance.
But don’t fret. Sure, you can say that security questions are not secure, but that’s when they are used alone. By pairing security questions with a flexible security solution that makes use of various segments of authentication, including SMS and e-mail authentication.
Come on, you wouldn’t rush into battle with just a shield; you run in wearing full plate armor, brandishing a notched, well-worn sword and a dinged up shield. You race to the front lines with a defense that has proven itself time and time again, and security questions just don’t cut it.
So I guess what I’m saying here is this: take a hint from the big guys, and don’t rely on security questions alone to protect your information online. It can be your personal information, like credit cards or communication, or it can be business e-mail protected behind a login window – either way, make sure your security is stronger than a set of locks that can be opened with the same key. Do not give your enemies any leverage. If security questions are not secure, install a new series of defenses to push the hoard back even farther. Remember, your foe will not shy away, and neither will you. Stand your ground, and let the enemies fall, useless against the strength of your shields.
Picture courtesy of wallpaperswide.com; credit to Warner Bros, and Legendary Pictures