Do security questions make sense?
The inherent contradiction of security questions
For a security question ot be good, it must:
- Have one definitive unambigious answer that the user would never forget...
- ...but is secret and hard to guess for everybody else.
The problem is that the higher you score on #1, the lower you score on #2. So you have to walk a tight rope here. If you lean to far towards #1, users will forget the answer and brick their accounts. If you lean to far towards #2, anyone can guess the answer and the question becomes essentially useless.
There probably is no sweet spot here. So should we just ditch the whole concept?
Well, it depends.
When and how to use them
Security questions can be used in many ways.
Let's start with a very bad way to use them - as the only protection for account recovery and password reset. The answer to the question basically becomes a second password that is both easier to crack and guess than the first. That's just spectacularly bad. If you don't believe me, ask Sarah Palin.
That usage pattern is probably what have given security quesitons their bad name. But is there actually some other legitimate use case for them? Maybe. How about this:
- As a poor mans 2FA for login or sensitive actions.
- As a check before sending password reset emails.
In both cases, a determined attacker could find the right answers. But not all attackers are determined. A simple security question could make large scale automated attacks after big data breaches impractical. If I have a million passwords from site A, I can't just test them on site B if B also requires a security question. Or if I breach an email provider, I can't send a million password reset links from all sorts of sites, because I don't know the answer to the security questions.
The backside here is the contradiciton discussed above - the less obvious the answer to the security question is, the more likely users are to brick their account by mistake. There are better solutions here, like real 2FA or account recovery codes. But implementing 2FA can be hard, and so is getting your users to actually print and store those pesky recovery codes. So sometimes, for pragmatic reasons, a security question might a good compromise.
That is the best case I can make for them. I'm not sure if it's a good enough case to actually ever use them.
TL;DR
- It's hard to construct good security questions, because the harder the answer is to guess, the harder it is to remember.
- Still, security questions could be a useful complement to other efforts to protect against dumb automated attacks if you don't have the resources to implement better solutions, such as 2FA.
As you can see from other answers on the same topic (searching for "security question" here returns several related questions), traditional security questions like "What's your mother's maiden name?" are now considered very bad practice.
Some websites, instead of traditional security questions, will ask for your phone number or an alternate email address. They might also regularly remind you to check if your profile info is up-to-date, to make sure you still use the email associated with your account, etc. Another way to check your identity might be to ask you questions about how you have been using the service, what private data the service is storing about you, etc. I'm not sure of all the things Google can actually ask you, but I'm pretty sure they can ask you the approximate date when you created your account, or the name of the city where you usually log in.
I still think that security questions can sometimes be useful as additional info, as long as you let the users write their own questions, maybe along with a clear and huge warning saying that they must not choose questions that can be answered easily by anybody else. But those security questions should not be an easy way to bypass the password login anyway. They should only be used as an exceptional way to help prove the user's identity, and the process should not be automated (a non-automated process might involve a phone call, for example).
Security questions are a terrible idea.
- There are no "best practices" like there are for passwords: a password should be hard to guess, long enough, etc. Are security questions any of that? By design, they are the opposite of secure: easy to guess, guessable using a dictionary attack or a list of last names, etc.
- You may not want to let people access your account that know the answer to your security questions (my uncle knows my mother's maiden name, but I don't want them to access accounts of mine).
- Anyone who knows the answer can become a target. To learn your first pet's name or your mother's maiden name, an attacker doesn't need to trick you to figure it out, they can trick it out of your grandma (or a bunch of other people) instead.
- There are common answers. "Favorite food" was the question which I guessed for some people of whom I absolutely did not know their favorite food. Pet names and most other questions fit a nice probability curve.
- You know the data format you're looking for: a mother's maiden name won't have an exclamation mark in the middle or be written in l33tsp3ak to make it harder to guess.
- As a user, I needed my security question once and actually forgot my answer because it had been a few years. My favorite food had changed and I don't know what I put in there a decade ago. My password, on the other hand, I typically remember because I use it every time I log in. If I haven't logged in for a while, I don't know the password but definitely not the security question.
So not only are they insecure, they also don't reach their goal. Don't use secret questions, almost literally anything else is better.