It should come as no surprise that your mother's maiden name is no secret, nor is the name of your primary school, or the model of your first car. So why are we still using knowledge-based authentication (KBA) questions to protect our online accounts?
Knowledge-based authentication is something that the development community is slowly but surely killing off. I personally don't know any developers who have recently worked on a product where they implemented KBA questions. However, the actions of our past have left us with online services, typically legacy systems from larger organizations, that are still secured by questions which can be easily answered with a Google search or some form of social engineering.
Social engineering (noun): the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes
If you are interested enough to be reading this blog post you probably already have a hunch that KBA questions are a bad idea, and academic research agrees with you. One study found that 16% of security questions can be answered via publicly accessible information on social media. Some questions are more vulnerable than others, for example, "what is your mother's maiden name?" can often be answered by searching through the publicly available birth and marriage records.
When you add social engineering to the mix things are even more worrying. Using an email phishing campaign, researchers were able to demonstrate the ability to capture 92% of security question answers.
So you may be thinking to yourself: sure, they're not all that secure, but security questions are a good way to recover an account when all else is lost, right? In a 2015 paper, Google found that only 60.8% of attempts to recover a password using security questions were successful. That's bad news for everyone; not only does using KBA make your accounts significantly less secure but there's also a 40% chance that it won't actually help you to recover your account when you have no options left. In that same paper, Google observed the significant improvements in account recovery rates that can be obtained from using email and SMS based recovery mechanisms.
The problems with KBA just keep going. For example, how many possible answers to the question "what is your favorite superhero?" do you think there are? Regardless of your superhero knowledge, we can agree that the answer space is trivially small, especially for the average user. How about the question "What is your favorite food?" Unsurprisingly, Google found that almost 20% of all English-speaking respondents to this question answered "pizza".
The key problem with knowledge-based authentication is that answers can either be secure or memorable; very rarely are they both. There is, however, a solution for those services that just refuse to do it any other way.
So how can we use security questions securely?
As we've seen, our answers to security questions can be either memorable or secure, but rarely both. In order to achieve both memorability and security, we will use a password manager.
If you are unsure of what a password manager is, this is where you should start. I won't go into the details but you really should be using a password manager. Assuming you have one, let's continue.
Essentially what we are going to do is treat answers to security questions like passwords. When we are asked "What is your mother's maiden name?" rather than answering with your mother's actual maiden name, you will answer with a randomly generated secure password. You'll then store this answer in your password manager. This way your answer is both hard to guess, and easy to remember (because if you use a password manager you won’t have to remember it at all).
Let's walk through this step by step. You are creating a new account with an online service and the following page shows up.
You know that if you answered these questions truthfully your account will be very insecure. You also know that if you don't answer truthfully it's going to be really difficult to recall the answers to these questions. So, the next step is to fire up your password manager of choice. I use 1Password, but any comparable manager should do the trick (Lastpass has a free tier if you are just getting started).
1. Create a new section in your password manager's entry for the website you are currently creating an account with, and call this section "Security Questions"
2. For each of the security questions, record the question itself and then generate a unique password for each
3. Now, copy the randomly generated passwords from your password manager into the text fields on the website you are signing up to
And that's it. You are done. In an ideal world, we would no longer have knowledge-based authentication in the form of security questions. The reality is though, that there are plenty of services out there that will require you to answer security questions in order to sign up. The good news is you now have a method of securing your online accounts that still insist on using knowledge-based authentication.