Security questions are often used as a second layer of authentication, usually in the event that a user forgets his/her password and requests a reset. However, a Google study has discovered that this method has some serious drawbacks in that secure answers to questions are not easy to remember, and that answers that are easy to remember are not very secure.
Google researchers Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson examined millions of question and answer pairs used by Google accounts to recover their passwords over the years, and then proceeded to measure the likelihood of the answers being guessed by hackers.
Easy to answer questions proved unsurprisingly easy to guess, ‘What is your favourite food?’ could be guessed 19.7-percent of the time if the answer was from an English speaking user (it happens to be pizza). While there is 24-percent chance of guessing Arabic-speaking users’ answer to the question “What’s your first teacher’s name?” At the greatest risk were Korean users, who could potentially have their city of birth guessed 39-percent of the time, and a 43-percent chance of their favourite food being guessed.
These statistics were taken from only 10 tries at guessing the answer, a substantially smaller amount of time than a dedicated attacker would use, which only shows just how easy it is to guess security questions.
On the other hand, difficult answer proved to have a completely different effect. While these answers were quite secure in how difficult they are to guess, few users were able to recall what they were. Some 40-percent of English-speaking US users couldn’t recall their secret question answers when they needed to. Which is a problem for some kinds of accounts that require users to answer the question to get things done (logging into Battle.net from a new computer for instance).
Google recommends that users avoid security questions when possible, and instead rely on other forms of two stage authentication. Google already provides backup codes sent via SMS for authentication, and so does Facebook for that matter; both of which are far more secure than any security question.
[Source: Google Online Security Blog]