How the heck did I miss this? Why wasn’t it all over my feeds? It’s sad Google actually had write a paper to prove the self-evident, but I guess even within Google there were executives who couldn’t get their head around this (emphases mine)…
Google Online Security Blog: New Research: Some Tough Questions for ‘Security Questions’
… we analyzed hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google. We then worked to measure the likelihood that hackers could guess the answers.
Our findings, summarized in a paper that we recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both…
… 37% of people intentionally provide false answers to their questions thinking this will make them harder to guess. However, this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in ….
.. the ‘easiest’ question and answer is "What city were you born in?"—users recall this answer more than 79% of the time. The second easiest example is “What is your father’s middle name?”, remembered by users 74% of the time …
… probability that an attacker could get both answers in ten guesses is 1%, but users will recall both answers only 59% of the time … Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution …
We’ve only been saying this for 10 years. Yeah, Schneier of course, but really everyone else. Shame on Apple for persisting with this dumbass approach. (FWIW my security question ‘Fake Answers’ are basically unique random passwords - secure but a royal pain to manage.)
For all the flack I give Google, they’ve been doing better over the past 1-2 years. When it comes to security and usability of online resources they are without peer.
No comments:
Post a Comment