Security questions are terrible.
I mean, we can start with the obvious–you’re in the middle of signing up for some service that you were probably hoping to use now, when suddenly you’re prompted to fill out a pop quiz about yourself, and the “right” answer isn’t necessarily the one that’s accurate–it’s the one that you’ll remember three years from now when you’ve locked yourself out of your account.
I mean, being accurate is one way to do that–but what if you’re not quite sure who your favorite high school teacher was? What if you choose someone different next time? Or what if it’s obvious…but it’s obvious to everyone else, too?
My favorite security question of all time has to be, “What is your favorite security question?” But, of course, that would be clear to anyone, since if it popped up, it was because I chose it.
Setting aside that fun meta-question, though, if you ask the more common question, “What is your favorite food?” to an English speaker, there’s a 19.7% chance that the answer is “pizza.” 
But guessing isn’t the only vulnerability present. People can also know the answers because you disclosed them.
It’s not like you’re intentionally broadcasting your credentials or anything. But saying stuff about yourself is kind of part of being a person. That may come in the form of some stupid “Which Ninja Turtle are you?” quiz, or in the form of just talking about stuff sometimes. Or…you know…having a blog.
Having contemplated this before, upon filling out a new security question, I now feel like I’m giving something up–a small piece of myself that can never be disclosed lest I create a vulnerability that wasn’t there before. Even thinking about it now, I suddenly feel the need to tell everyone my first pet’s name–to run through the streets shouting his name at the top of my lungs–rather than consign him to anonymity forever.
What’s worse, I don’t even remember if I’ve ever used this one. It could be perfectly fine to share. Except that I can’t recall which services I use that still utilize security questions, either. And I’m not sure I’ve ever seen a service that gave me a form to change security questions after the fact, or even look up what they are.
How can you ever truly connect with another human being if you’re not free to share vital personal information, such as the mascot of your high school? How can we live with these artificial walls we build around ourselves?
Well, okay, some people just cope with it by lying. In the security questions, I mean, not just to everyone, all the time, about everything. Apparently 37% of people do this. But if I could remember random shit that I made up, I wouldn’t need a security question. Sure, I could store the answer in my password manager. But I store my passwords in my password manager, too. If I need my security question, something has obviously gone wrong with this workflow.
And then there’s the additional problem that your fake answers are even worse than the truth, from a security standpoint. That is to say, when people make up answers, they tend to make up the same answers.
Yeah, how many people do you suppose said that their first phone number was 867-5309?
The Root Problem
The source of the difficulty is this: security questions are an attempt to authenticate you with things that just weren’t meant to be a secret.
This would be why security questions are…well, already recognized as a crappy authentication mechanism.
Nevertheless, if you’re going to suck at authentication, OWASP made a neat little table with some useful criteria:
|The user must be able to recall the answer to the question, potentially years after creating their account.
|The answer to the question must not change over time.
|The user must be able to answer the question.
|The answer to the question must be hard for an attacker to obtain.
|The answer should be clear to the user.
That “memorable” thing can be tricky since, as humans, we can’t be trusted to remember anything, and the “consistent” can kind of suck since you’re out of luck if one of the forty other sites that ask the same question has a data breach after they stored your answer in plaintext (best practices are for chumps), but it’s the “confidential” one that’s the real dealbreaker.
All these little facts about yourself? Your friends and family probably all know this stuff, and, let’s be honest–these people all hate you.
And after the “incident” with your last ex, did you remember to change the name of the city your were born in?
Oh, right, you probably can’t do that. Well, hopefully there’s no digital trail connecting you to, say, your mother, or her dreaded Maiden Name.
So should we just throw away the whole idea of security questions?
Yes. Yes, we should. But that does still leave us to contend with the problem that security questions themselves are meant to resolve.
Why They’re Here
There are a couple scenarios where security questions pop up.
As A Secondary Authentication Factor
One situation where services use security question is when they want to be extra sure you’re you. This comes up, for example, when you’re logging in from a new device.
People who protect their services this way are monsters.
If you need extra security like this, multi-factor authentication is the way to do it. Not asking dumb questions.
Let’s not assign blame, because it was always a matter of time.
Roughly a thousand websites a day are giving you a new password, and your workplace has twelve different internal services that make you pick a new twelve character password every other week.
And at that kind of pace, no matter how careful you are…well, shit happens. Passwords get forgotten. People forget they had caps lock on when they typed them in. Sometimes keys stick, and they never got typed in correctly, even if everyone makes you type it in twice these days.
And now you somehow need to prove you’re you.
So you click “Forgot Password?” and an email shows up with a reset link.
But sometimes, before you get your temporary password, you need to prove your identify with something more than just having access to your email address (or perhaps because you forgot the password to the damn hotmail address you signed up with twenty years ago).
Some sites pull out the big guns for this situation: the aforementioned dumb questions.
If they shouldn’t use that, what should they use?
SMS is terrible for security. It shouldn’t be used for password recovery, and it shouldn’t be used for MFA. They’re fundamentally not a good way to prove who you are, since they can easily wind up in other people’s possession, either through divorce, a failure to pay your phone bill, or through sim swapping attacks.
And let’s not forget the fact that it may be possible to get into your account with your carrier using…pause for effect…the answers to your damn security questions.
And then there’s the fact that tech companies can’t be trusted. For instance, when Twitter (accidentally?) let marketers access MFA phone numbers, or when Facebook used MFA phone numbers to target ads.
Because of course they did.
Many websites require security questions, meaning that even if they insist you have a password composed of an awkard combination of symbols, numbers, and uppercase letters (“Pa$$word1”)…and even if you take extra care to make your password super secure (“Pa$$word2”), there’s a mandatory method of bypassing the normal authentication flow using information you post on Facebook.
And SMS as an alternative is almost as bad.
And having a strong password with a vulnerable recovery system is like having a massive lock on your door and then taping the key to the peephole.
So in an ideal world, what would you do instead if you’ve lost your password?
Various forms of divination are sufficiently secure, I suppose. The low success rate is a minor concern, but the fact the other people can’t get into your account either is nice.
Apart from that, it’s hard to come up with a scalable means of bypassing the normal authentication flow that’s designed to protect your account without…well, allowing people to bypass the normal authentication flow that’s designed to protect your account.