Google recently studied the security of security questions and found that they are a pretty poor approach.
According to their findings, if a question is easy to remember, it’s also fairly easy to guess. If a question is hard to guess (like a library card number), it’s also hard to remember, which leads to frustration.
This makes complete sense to me. I’ve had a number of instances where I had to call customer service to help me log in to a site because, not only could I not remember the answer to the question, I couldn’t remember ever answering the question, so I couldn’t even make my own reasonable guess.
They didn’t cover another problem with security questions. They are easy to social engineer. Test this yourself. Assuming you can remember any, think of a couple of your own security questions and answers and then look at your Facebook page. If you are like a lot of people, you use “place of birth,” “favorite movie,” “mother’s maiden name” or the like. It’s pretty easy to use social engineering to friend someone on Facebook and then, voila! You have access to a supply of answers to security questions. (Hint, even Friending me will not get you my favorite movie or book. I’ve deliberately avoided mentioning either on Facebook. Nor is pizza my favorite food.)
Two-Step verification, where you have to enter a verification code sent via text message is much more secure and doesn’t require you to remember something.
Google has summarized much of their findings in this handy infographic.
So what about you? What kinds of security questions do you use, and how do you keep your answers safe?