What Makes Security Questions Horrible At Security

On May 21, 2015, Google published some research regarding the whole security questions scheme. Apparently, “what was your first pet’s name?” can be the single weakest link in your security, and it can bring your account to hackers on a silver platter. While you can make passwords that are impossible to guess, security questions for recovery are designed in such a way that you should be able to answer them easily. This works well when you use obscure answers that no one else can guess, but horribly if your pet (for example) has a very common name like “Max” or “Spot.” If you named your dog “Ulysses” or “Peruggia,” then you might stand a chance, albeit one that isn’t so promising. You can also choose option B, which is to lie about the answer to your question (i.e. replying “Offram Klingmanstein III” when asked what your mother’s maiden name was). The problem with this is that you end up with yet another thing you must remember. Recalling answers you lied about is just as difficult as recalling the password you forgot in the first place. This is no solution but an added burden.

What Should Replace These Questions?

In addition to the security problems that questions introduce, they just add to the confusion for those who cannot recall the city they were born in or the names of their first pet (it does happen). People who know you well can also easily access your accounts with this method. Hopefully, we’ve come to the conclusion by now that something needs to replace the “secret answer” method. Fortunately, there are many good contenders for replacements, one of the best being two-factor authentication. The “secret answer” method was invented before people commonly had cell phones that could open SMS messages. At this point in history, virtually everyone with access to the Internet has a cell phone. Out of 7 billion people, there are roughly 6.8 billion phones. Google has adopted a new method for authentication that involves sending a one-time password through SMS for recovery. For those without phones, they could use a backup email either of a trusted person or one that they use themselves for recovery. This method makes it very difficult to “guess” one’s way into an account without the user’s phone. By using two-factor authentication, you solve two things at the same time:

You minimize the risk of a person not remembering their “answer” since the unique SMS code is handed to the user upon request, and You make a recovery method that is nearly unbreakable since the hacker would need to have access to a physical object that the user owns.

Can you think of something else to replace the secret answer method? Leave your thoughts in a comment below!