Tuesday, February 9, 2016

Google Deprecated “Security Questions”

Google (in 2015):

As part of our constant efforts to improve account security, we analyzed hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google. We then worked to measure the likelihood that hackers could guess the answers.

Our findings, summarized in a paper that we recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both.

[…]

For years, we’ve only used security questions for account recovery as a last resort when SMS text or back-up email addresses don’t work and we will never use these as stand-alone proof of account ownership.

In parallel, site owners should use other methods of authentication, such as backup codes sent via SMS text or secondary email addresses, to authenticate their users and help them regain access to their accounts. These are both safer, and offer a better user experience.

Via John Gordon:

FWIW my security question ‘Fake Answers’ are basically unique random passwords - secure but a royal pain to manage.

Comments RSS · Twitter

Leave a Comment