6

Is it a good practice, or is it obsolete? I'm asking because I've never managed to remember a single security question, thus I always write down the answers. I think they are useless, long passwords or 2FA is a much better practice.

Anders
  • 64,406
  • 24
  • 178
  • 215
AteszDude
  • 63
  • 1
  • 4
  • 2
    Honestly, I think it depends with each user. On webites which require me to answer a security question I select the most obscure question I can and I just set the answer to some random characters (like another password) that way it's not something that could be SE'd (in theory). I am not convinced they help especially if you use the same password everywhere. (I don't and I don't really use social media so) –  May 22 '18 at 21:15
  • Security questions for what? As a second factor during authentication? Or for account recovery? Or something else? – Anders May 22 '18 at 21:53

5 Answers5

8

The inherent contradiction of security questions

For a security question ot be good, it must:

  1. Have one definitive unambigious answer that the user would never forget...
  2. ...but is secret and hard to guess for everybody else.

The problem is that the higher you score on #1, the lower you score on #2. So you have to walk a tight rope here. If you lean to far towards #1, users will forget the answer and brick their accounts. If you lean to far towards #2, anyone can guess the answer and the question becomes essentially useless.

There probably is no sweet spot here. So should we just ditch the whole concept?

Well, it depends.

When and how to use them

Security questions can be used in many ways.

Let's start with a very bad way to use them - as the only protection for account recovery and password reset. The answer to the question basically becomes a second password that is both easier to crack and guess than the first. That's just spectacularly bad. If you don't believe me, ask Sarah Palin.

That usage pattern is probably what have given security quesitons their bad name. But is there actually some other legitimate use case for them? Maybe. How about this:

  1. As a poor mans 2FA for login or sensitive actions.
  2. As a check before sending password reset emails.

In both cases, a determined attacker could find the right answers. But not all attackers are determined. A simple security question could make large scale automated attacks after big data breaches impractical. If I have a million passwords from site A, I can't just test them on site B if B also requires a security question. Or if I breach an email provider, I can't send a million password reset links from all sorts of sites, because I don't know the answer to the security questions.

The backside here is the contradiciton discussed above - the less obvious the answer to the security question is, the more likely users are to brick their account by mistake. There are better solutions here, like real 2FA or account recovery codes. But implementing 2FA can be hard, and so is getting your users to actually print and store those pesky recovery codes. So sometimes, for pragmatic reasons, a security question might a good compromise.

That is the best case I can make for them. I'm not sure if it's a good enough case to actually ever use them.

TL;DR

  • It's hard to construct good security questions, because the harder the answer is to guess, the harder it is to remember.
  • Still, security questions could be a useful complement to other efforts to protect against dumb automated attacks if you don't have the resources to implement better solutions, such as 2FA.
Anders
  • 64,406
  • 24
  • 178
  • 215
4

Security questions are a terrible idea.

  • There are no "best practices" like there are for passwords: a password should be hard to guess, long enough, etc. Are security questions any of that? By design, they are the opposite of secure: easy to guess, guessable using a dictionary attack or a list of last names, etc.
  • You may not want to let people access your account that know the answer to your security questions (my uncle knows my mother's maiden name, but I don't want them to access accounts of mine).
  • Anyone who knows the answer can become a target. To learn your first pet's name or your mother's maiden name, an attacker doesn't need to trick you to figure it out, they can trick it out of your grandma (or a bunch of other people) instead.
  • There are common answers. "Favorite food" was the question which I guessed for some people of whom I absolutely did not know their favorite food. Pet names and most other questions fit a nice probability curve.
  • You know the data format you're looking for: a mother's maiden name won't have an exclamation mark in the middle or be written in l33tsp3ak to make it harder to guess.
  • As a user, I needed my security question once and actually forgot my answer because it had been a few years. My favorite food had changed and I don't know what I put in there a decade ago. My password, on the other hand, I typically remember because I use it every time I log in. If I haven't logged in for a while, I don't know the password but definitely not the security question.

So not only are they insecure, they also don't reach their goal. Don't use secret questions, almost literally anything else is better.

Luc
  • 31,973
  • 8
  • 71
  • 135
3

As you can see from other answers on the same topic (searching for "security question" here returns several related questions), traditional security questions like "What's your mother's maiden name?" are now considered very bad practice.

Some websites, instead of traditional security questions, will ask for your phone number or an alternate email address. They might also regularly remind you to check if your profile info is up-to-date, to make sure you still use the email associated with your account, etc. Another way to check your identity might be to ask you questions about how you have been using the service, what private data the service is storing about you, etc. I'm not sure of all the things Google can actually ask you, but I'm pretty sure they can ask you the approximate date when you created your account, or the name of the city where you usually log in.

I still think that security questions can sometimes be useful as additional info, as long as you let the users write their own questions, maybe along with a clear and huge warning saying that they must not choose questions that can be answered easily by anybody else. But those security questions should not be an easy way to bypass the password login anyway. They should only be used as an exceptional way to help prove the user's identity, and the process should not be automated (a non-automated process might involve a phone call, for example).

reed
  • 15,398
  • 6
  • 43
  • 64
  • 1
    +1 The important part here is that security questions can be used to assist non-automatic manual account recovery. And never ever automate account recovery solely by security questions. – Mikko Rantalainen Feb 25 '21 at 14:10
2

It's better than no second-factor, but current 2FA standards recommend

  1. something you know
  2. something you have

A lot of banks use security questions or image-recognition because it's thought to provide an anti-phish protection, where once you are accustomed to seeing your image/ answering your security question, you will notice its absence.

This can of course be defeated by having the phishing site forward the username you enter, retrieve the question/image, and display it to you, but that's beyond what most phishing campaigns will do.

tl;dr Security questions are not good if used as client-verification, but they can be useful as server-verification, so that you can be reasonably sure the site you are logging into is the actual site.

This doesn't apply if the site makes you select the security question each time, but that's not what any banks I've seen using SQs do.

Angelo Schilling
  • 681
  • 3
  • 11
1

In a surprising number of applications a password + security question is considered 2 factor authentication. The idea is that its something you know whereas a password is expected to be something you will remember (I write passwords down too - but in an appropriately encrypted database!).

Yes, there are much better solutions - but the web developers of the world are not standing by waiting to write the perfect authentication mechanism to be used by readers of this website. There are lots of ways to complement (or improve on) password authentication, but they need something which does not inconvenience their users, is available to all their users, which doesn't cost too much, which doesn't span jurisdictional boundaries, which they can understand, which they feel they have some control over...

symcbean
  • 18,278
  • 39
  • 73
  • Password + security question is 1FA because both are something you know/remember. That would be same as splitting the password in two parts and pretending you have 2FA, except that splitting password in two parts would usually be safer because most people actually understand something about passwords. Second factor is biometric id, having specific encryption key or some specific device (e.g. TOTP). – Mikko Rantalainen Feb 25 '21 at 14:13