Stop using security questions, please

February 17, 2018

This opinion is neither new nor unpopular, but I think it's worth repeating.

Security questions suck.

The origin of security questions

Before we start bashing security questions and every service that uses them, let's talk about where they came from.

I had to dig pretty deep, but unearthing the purported origin of security questions shed some light on how they became popular. They started in the early 20th century as an extra step for banks to verify customers. Back then, "What is your Mother's maiden name?" was a unique and challenging question, even for the customers themselves!

In a world before Facebook, to find out personal details about someone's life, you would have to either be that person or be a close friend or family member. It makes sense then, that these questions could be used as an authentication step.

How are they used today?

In the 90s and early 00s security questions became popular on websites as an alternative authentication to passwords. They were not advertised as "alternative authentication" but they were, in many cases, the only barrier to resetting a password - making the answers effectively equivalent to the password itself. This practice has continued up through the present despite the explosion of social networks and widespread availability of personal information online. As recently as this week I have seen a website (that holds sensitive information!) only require three security question answers to get into an account. That's bad.

While the services they "secure" have evolved and the availability of information about individuals has increased dramatically, security questions themselves haven't changed much. It is not uncommon to see options like "What is your oldest siblings middle name?" or "Where was your first job?" - both of which can be answered in 1 minute for many people by visiting Facebook and LinkedIn. Other sites have kept the questions and offered the copout option of "write your own!", as if they expect a user to have time to come up with a good question.

This is such an epidemic that it is not uncommon to hear advice recommending to answer security questions untruthfully. That way the correct answer an impostor finds in a quick google search won't work. The criticism to that method is that untruthful answers are no longer memorable and are basically just more passwords.

To their credit, most sites nowadays only use security questions as an extra layer of security, not the only thing between a user (or attacker!) and resetting a password. Security questions are mostly used as an extra step for logging in, or an extra barrier before sending an email with a link to reset a password. So they may not be super secure, but they're harmless when they aren't the only security layer, right?

No. Security questions cause a painful user experience and the mere fact that we maintain them in our repertoire is a threat to users' security.

Seriously, security questions are bad

First of all, the extra security layer these questions provide is so thin it could be pierced with a sideways glance, but we make users answer them anyway. It's almost the equivalent of asking "What's 132 divided by 12?" as an extra step to log in - anyone can answer it, and it's annoying as hell. Nobody in their right mind would give a math problem as an extra step to log in, so why do we use security questions like this?

Beyond the annoyance, by maintaining security questions as a "security practice" we implicitly give them credit for adding a significant layer of security (even though they don't). This leads to people who don't know better trusting security questions too much.

I'm specifically worried about help desk operators using security questions as a means of identity verification for over the phone account/information access. Social engineering is an extremely common (the most common?) way for hackers to get access to an account. Calling a help desk line, answering a few questions and gaining the operator's trust is a typical example of such social engineering. Hackers do it because it works, and it works (in part) because our processes rely on security questions. See one of Brian Krebs' recent post for a timely and relevant example.

Okay, maybe we should stop using security questions. What do we do instead?

Multi factor authentication!

Despite the fact that the public isn't convinced of the need for MFA, it is a much stronger and reliable extra layer of security than security questions (if done correctly, of course). Not only that, but, in my opinion, typing in a code that pops up on my phone is much less annoying than answering "Who was my least favorite elementary school teacher?" (Mrs. Warner...).

Like I said at the top of this post, I'm not presenting any radical ideas here, but I believe that if we rid ourselves of security questions and make MFA the default, users will get used to it and their accounts will be more secure.

Extra thought

Passwords suck too don't they?

People reuse them or use "123456" despite repeated warnings and major hacks. We need a way to replace them. I wouldn't mind a service that uses Google Authenticator or a U2F device as its primary form of authentication. That way I wouldn't have to remember any passwords or use a password manager at all...