Are Security Questions Secure Enough To Protect Your Account?

Well, the answer according to Google Security blogger Elie Bursztein, is a straight “No.” Security questions, according to the blog, are either easy-to-remember or secure, but rarely both. More than 75% people prefer the former making them vulnerable to getting their account hacked. Popular websites, like Yahoo, Hotmail, and even Facebook rely on security questions to retrieve lost passwords. Sometimes these questions are used as an additional layer of security against suspicious login attempts, but the effectiveness of these questions are seldom questioned.
Easy questions, like “What is your favorite food?” are more likely to be guessed. In fact, “favorite food” is the most common question set by a user, and is the most easily guessed one too. According to Google Security Blog, 19.7% answers were “Pizza.” According to them, 37% people intentionally provide false answers, but are equally likely to be guessed as the people who try to crack down these questions too think in the way the users must have.
Though difficult questions are safer, they are very difficult to remember. An average internet user answers 2 security questions a year, so if you’ve set a difficult questions, you’ll certainly forget it in 6 long months. In fact, the blog too presented a statistical data supporting this argument, according to which 40% of the American citizens forgot what their security questions were, let alone the answers.
The solution?
Thankfully, there are some solutions to it.
- The most secure of it all is the 2-factor authentication. After you’ve answered your security question and set a new password, you’ve to login again. And when you do it, it is where the 2-factor authentication comes into play. After clicking the “login” button, you’ll be asked a pin, which automatically changes after every fixed intervals. So even if someone has cracked your security question, they can’t login unless they have the pin.
- Another option, according to what the blog said, is for the site owners. They must have some OTP sent over in the form of SMSs or e-mails along with the questions.
- A bit less safe option is having multiple security questions. Having two questions instead of one greatly reduces the risk. If two easy questions each having a probability of being guessed in ten attempts is 25% each, then the possibility that they’ll be guessed together reduces to a whopping 2%.