A security question is a form of the shared secret. It is frequently used as an additional layer of identity authentication to enhance account security. During the account creation process, users are prompted to set up security questions. These questions help verify their identity when signing in, changing passwords, or unlocking accounts.
How Vulnerable Are Security Questions?
However, security questions have been increasingly recognized as an insecure method of authentication due to their inherent vulnerabilities. High-profile data breaches at companies like Yahoo and Equifax serve as notable examples that highlight the insecurity associated with relying solely on security questions. These breaches have led to the compromise of personal information belonging to billions of users, including their security questions and answers. These incidents emphasize the importance of disabling security questions and choosing better alternative authentication methods, thereby enhancing account security and mitigating the risks associated with security questions.
How Are Security Questions Breached?
Security questions can be even more vulnerable to attack than passwords through guessing, detection, and social engineering.
Security questions often rely on personal information that can be easily guessed. According to Google’s research, an attacker would have a 19.7% chance of correctly guessing an English-speaking user's answer to the question "What is your favorite food?" is “Pizza”.
Attackers can scour the internet and social media platforms such as Facebook and LinkedIn to collect your personal information, like your date of birth, career, interests, and academic background. This information can match the answers to security questions, especially if the user has publicly shared personal information.
Social engineering involves manipulating individuals psychologically to obtain confidential information or carry out certain actions without proper authorization. Instead of searching for software vulnerabilities, a social engineer can obtain answers to security questions (e.g., date of birth, city of work) simply by asking you. Here are some typical methods:
Social engineers impersonate authoritative figures, such as customer service representatives, and deceive individuals by requesting verification or assistance. They trick individuals into revealing personal information, including security question answers.
Social engineers use phishing techniques to trick users into disclosing sensitive information. They send fraudulent emails or create fake websites that mimic legitimate ones, tricking users into entering their security question answers or resetting their passwords.
In some cases, social engineers may exploit their connections or relationships to gain insider knowledge. They may target employees, taking advantage of their familiarity with internal procedures or systems to acquire the answer to security questions.
Choose a Possession or Inherence-Based Factor as an Alternative
Multi-factor authentication (MFA) factors are typically divided into three categories:
- Knowledge: Requires users to prove they know something (e.g., passwords or security question answers).
- Possession: Requires users to prove they own something (e.g., a security key or a device to generate OTP).
- Inherence: Requires users to be authenticated through biometrics (e.g., fingerprint scan or facial recognition).
The main reason for passwords and security questions being less secure than other MFA methods is that they rely on users’ knowledge. To ensure the utmost security of your account, it is highly recommended to prioritize the implementation of possession or inherence-based factors, such as token-based authentication and OTPs. Learn more about choosing MFA methods
In short, security questions are not highly reliable for securing your account. It is important to disable them and use strong and unique passwords, and implement stronger multi-factor authentication methods to enhance protection against data breaches.
If you choose to keep security questions enabled, you can also follow the steps below to mitigate their vulnerabilities:
- Use case-sensitive answers to decrease the likelihood of accurate guessing by hackers.
- Remind your employees to update their security questions regularly, ensuring they can recall the answers while making it harder for hackers to track them.
- Train employees on creating memorable, consistent, unique, and private questions and emphasize the importance of not recording the answers for added protection.
- Train employees to avoid using the same security questions and answers across multiple software or platform.