A Closer Look: How Secure Are Account Recovery Security Questions?

by Brad Garland

While businesses attempt to protect private and sensitive information from cyber attack in many ways, one of the most common methods is passwords. Passwords are considered a good strategy for protecting information on devices and Internet-based accounts because they require specific knowledge to gain access. 

The drawback to using passwords for identity access management, however, is that they are often forgotten. Companies commonly deal with password recovery by using recovery questions that, when answered correctly, allow a user to obtain or change a forgotten password. But are account recovery questions secure?

While it might appear that security questions are a smart way to keep information safe, a recent Google report shows that most answers to access questions are very easy to guess, making them a vulnerability when protecting identity and information. Not only are they ineffective in adding a second layer of protection, they are not even an effective recovery strategy for people who forget their passwords.


 What Makes Security Questions Unsafe?

One of the main reasons security questions are not particularly safe is that the answers are remarkably easy to guess. According to Google's report, someone attempting to break into a password-protected account would have a 20 percent chance of correctly guessing that the average English-speaking user's favorite food is pizza and a 40 percent chance of guessing the birth city of a Korean user.


What If Users Choose Trickier Answers?

Many users believe that if they lie about their recovery answers — and about 37 percent of people admitted lying — the answers will be harder to guess. Unfortunately, just the opposite happens. When people lie to make answers harder, they do so in a very predictable way. Research shows that account recovery answers tend to either be very secure or very easy to remember — and rarely both — making them an inconvenient and clunky authentication method.


Does Adding Multiple Questions Help?

Some companies use a multi-question recovery process to further protect identity access. In reality, this strategy is quite helpful when it comes to protecting accounts. Again according to Google, while an attacker's chance of correctly guessing an answer to one question is 14.6 percent, the rate drops to about 1 percent when a second question must be answered. One drawback is that when there are two account recovery questions, users also have a harder time remembering both of their answers; the likelihood that they remember drops from 75 percent to 59 percent.

Passwords, if used thoughtfully, can be safe, but the smartest and most secure approach is using one-time codes to protect information and identity access from any of the growing number of cybersecurity risks. By sending codes via text message or email that can only be used once for a login, companies can ensure only legitimate users are logging into accounts and systems, and that no information ends up in the wrong hands.

Do you want more information about how to keep your company's information safe? Get in touch with us at Vala Secure, where we offer a wide range of clients and organizations IT security solutions to ensure their information remains confidential and protected.



Image courtesy of Google.