Security questions are widely used as a form of authentication, especially as a backup if you forget your password. However, the way to authenticate a password reset should be as good, if not better, than the password itself. We think that security questions just don’t fit that brief and the research agrees.
Whatever you are using them for, we think that you should carefully consider if security questions offer enough protection for your service. Look at the alternatives that are available, and if they really are the best option for you, then take care setting them up. Making them difficult for attackers - and as painless as possible for your users - is not as easy as it sounds. Try using the criteria for a strong password; hard to guess, easy to remember, not used anywhere else and much longer than a single word. Any good security solution should also minimise the effort and stress required to use it correctly.
Can an attacker guess the answer?
If your security question asks for a fixed piece of information, you should assume the attacker can guess the answer. Questions like 'What is your mother's maiden name?' or 'What is your postcode?' are all easy to research, especially considering the widespread use of social media. We can encourage users to lock down their own social media accounts to restrict the number of people and apps that can view their data, but even a silly little quiz could be used to engineer access to information such as their date of birth. Users can't lock down the accounts of their friends and family, and anyway, it may be widely available in open source databases that the user has no control over.
It can also be very easy to guess 'What is your favourite?' questions if the pool of possible answers is small. An attacker could just try the most obvious answers and see how many hits they get. Research has shown that questions used by major web services can be easily guessed, with acquaintances getting the correct answer 17% of the time. Just by using popular answers, researchers guessed 13% of the answers within 5 attempts. These might seem like quite small percentages, but if you have a large number of users then even 1% could be enough to make it worthwhile for the attacker.
As well as the traditional static questions, some sites use dynamic security questions. These are automatically generated from data they already hold and should change over time. Dynamic questions raise the bar a bit, but they still aren’t foolproof. For example, consider if your bank asked you for the value of your most recent gas bill to within £10. Your bill is likely to be with an easily definable range and with a large margin of error the number of possible answers could be very low. It could be even easier to predict if the attacker has information about where you live. Other information (such as the city you last used a particular card) might be guessable from your social media.
Can your user remember the answer?
I don't know about you, but I don't have a particular film, food or actor that is my favourite above all others. If I'm asked to name one I just give the answer that pops into my head at that moment and next time you ask me it will probably change. So how am I supposed to remember what I've said 6 months or a year from now? One study showed that 20% of answers were forgotten over a 6 month period.
Even if a user remembers the answer, they can forget how it was entered. Was their first school called Town, town, Town School, Founder's School, Church of England School in Town, Town Primary School or even Ysgol (town's name in Welsh). They might all be the same place in your user's head, but to an authentication tool without an intelligent way of processing answers they are very different and only one of them is right.
With dynamic questions the user doesn't need to memorise a particular answer, but they do need to be able to remember the event that the question asks about. Questions can't be too obscure and there needs to be a margin of error given for genuine mistakes.
Is the answer used elsewhere?
Most people only have one mother. If a user wants to give different answers to the mother's maiden name question on different websites, or is required to change answers after a breach, they will have to make up a fake mother. Who can keep track of all of their fake mothers? It's hard enough remembering all of my real family.
The serious point is if you are using the same security questions as another service, then the answers given by the user may well be the same and a breach at the other service could put you at risk. It has also been shown that making up answers may actually make the answer easier to guess - because we make up new answers in really predictable ways.
Will the answer be long?
Putting a minimum length on the answers seems like a sensible idea. After all, making a password longer is the best way of increasing its strength. However, if you've asked for a specific piece of information then the correct answer might be short. What if my favourite colour is red or blue, my mother's maiden name is Smith or Jones and my best friend's middle name is Jo or Sam? Would you approve of any of these as passwords?
Does this method require effort or cause stress?
There's an assumption that all security questions are simple to answer. However even the most innocent question may not have an easy answer for some people. A user may not know their mother's maiden name or may not have a spouse (which may be delicate subjects). Some services let a user choose their own question, increasing the effort required to set it up. Don't assume that a user will go out of their way to choose the best, most secure answer. They probably want to get on with using your service and setting up security questions just gets in the way. If you don't make your authentication easy, users will make it easier for themselves by defaulting to the simplest (and likely weakest) question and answer.
The lack of effort required from the user is where dynamic questions really come into their own. Since you are asking a user about information the service already has, your users don't need to spend time setting anything else up. However, as the service designer you do have to spend a lot of effort setting up dynamic questions:
- You need to have a way to auto-generate questions using information that you already hold, and which changes frequently.
- All your users need to have provided suitable information, although some may use your service very differently to others.
- The questions need to be easy to answer by the genuine user, which requires an intelligent way of handling different correct answers.
- You also need to think about what the attacker will see, could the auto-generate give away information that the user may not want you to share?
Answering the questions can also require a lot of effort from the users. When multiple questions are asked at the same time, with no indication which question has been answered incorrectly, every combination of possible answers needs to be tried. Obviously this is done to make it harder for the attacker but how many combinations of possible favourite films and teachers will a user try before they give up and find a plan B?
So should I use them?
Security questions offer a small speed bump of security; probably enough to deter a casual opportunist but no real barrier to someone more determined. There may be scenarios where you only need that speed bump, because the thing you are protecting isn't particularly critical*. They could be combined with other types of authentication methods to provide an effective barrier to most attackers. There are some advantages to security questions. They allow a user to change their password without having to leave the website and they work even if a user has lost access to the email address they used to set up the account.
If you are looking for a way to automatically reset passwords since the number of manual resets is too high, consider making it easier for people to remember their passwords in the first place. Removing obstacles such as password expiry dates can reduce the amount of forgotten passwords in your organisation. You can also create official password storage policies such as an approved password manager or a recommended method of storing handwritten passwords. This may help reduce the number of password resets required to the point where you don’t really need an automated system.
If you do decide to use security questions, consider all the security and usability points we've made above. There's no easy recipe to make a perfect security question, but some are better than others. Taking steps such as giving a choice of questions to the user or processing the answers in an intelligent way can make them more usable. Avoiding questions with answers that are easy to research or guess will improve security. If you find you are having to choose between security and usability then consider what is appropriate for your service; how secure does it need to be and how much effort are your users really willing to spend?
With all the data collected by online services, we have the ability to move beyond the old static security questions and instead create dynamic and intelligent authentication methods. This doesn't always have to be text or numerical data, services may hold other information such as photos or locations that can be used to make the questions much more intuitive and accessible (taking privacy into consideration of course). We need to be aware of the flaws of security questions and they should never be used as the default solution just because they are common and apparently easy to implement. But used well and appropriately, there may still be a role for security questions in the world of online authentication.
Sociotechnical Security Researcher
*Although, if this is the case, you might want to reconsider the usability of your security. Do you actually need a password for this service? Is the effort of setting up and remembering the answer actually worth it for the level of security you need?