Well, the answer according to Google Security blogger Elie Bursztein, is a straight “No.” Security questions, according to the blog, are either easy to remember or secure, but rarely both. More than 75% of people prefer the former making them vulnerable to hackers. Popular websites, like Yahoo, Hotmail, and even Facebook rely on security questions to retrieve lost passwords. Sometimes these questions are used as an additional layer of security against suspicious login attempts, but the effectiveness of these questions is seldom questioned.

Yahoo-Canada’s account retrieval through security question

Questions, like “What is your favourite food?” are very easy to guess. In fact, “favourite food” is the most common question set by a user, apart from how easy it is to guess. According to Google Security Blog, 19.7% of answers were “Pizza.” According to them, 37% of people intentionally provide false answers that are still easy to guess. This is because the people who try to crack down on these questions think in the way the users must have.

Though difficult questions are safer, they are very difficult to remember. An average internet user answers 2 security questions a year, so if you’ve set a difficult question, you’ll certainly forget it in 6 long months. In fact, the blog also presented statistical data supporting this argument, according to which 40% of American citizens forgot what their security questions were, let alone the answers.

The solution?

Thankfully, there are some solutions to it.

• The most secure of all is the 2-factor authentication. After you’ve answered your security question and set a new password, you have to log in again. And when you do it, it is where the 2-factor authentication comes into play. After clicking the “login” button, your device asks for a PIN, which automatically changes after every fixed interval. Hence, even if someone cracked your security question, they can’t log in unless without the pin.
• Another option, according to what the blog said, is for the site owners. They must have some OTP sent over in the form of SMSs or e-mails along with the questions.
• A bit less safe option is having multiple security questions. Having two questions instead of one greatly reduces the risk. If two easy questions have a guessing probability in ten attempts of 25% each, then the possibility of guessing them together reduces to a whopping 2%.

Beutler_Google_passwords