Security Questions Are a Terrible, Horrible, Bad Idea
Stop asking me for my mother’s maiden name
As I was setting up my account at Deutsche Bahn, I was surprised to see the following UI:
After the 2013 Yahoo security breach that compromised 3 billion user accounts, it should be common knowledge by now that security questions are a terrible idea. Why are they still a thing?
They Can Be Very Easily Guessed
The main idea behind security questions is they’re safe and memorable. But with today’s social media, anyone can scroll over my posts and figure out the name of my high school mascot, and if I can remember it, then probably a lot of people can too.
This 2015 Google study has confirmed that with only a single guess, an attacker would have a 19.7% chance of guessing an English-speaking user’s answer to the question “What is your favorite food?”.
With 10 guesses, an attacker would have a 24% chance of figuring out Arabic-speaking user’s answer to the question: “What was your first teacher’s name?” and a 39% chance of guessing a Korean-speaking user’s city of birth (and a 43% chance of guessing their favorite food).
Many different users also had identical answers to secret questions you’d typically expect to be unique, such as “What’s your phone number?” or “What’s your frequent flyer number?”.
Then, 37% of people deliberately provide false answers to their questions, thinking this would make them harder to guess, when, in fact, it made it even easier to figure out.
They Can Be Brute-Forced
We demand a user enters a password that contains lowercase and uppercase letters, numbers, and special characters.
But we hide the account recovery mechanism behind a silly question that can be brute-forced? This doesn’t make any sense to me!
They Make Wrong Assumptions About Your Users
Maybe in the Western world, people can find security questions relatable. But I didn’t have a pet, I’m not good at remembering people’s names, and I was never married, so I never went on honeymoon.
Growing up in North Africa, I didn’t even know what a maiden name meant because where I come from, women don't take their husband's names.
So that left me with what’s your favorite dish, and anyone who knows me can guess what that is.
That’s a terrible user experience that excludes anyone who isn't from the same cultural background as the person who developed the application. By doing so, we compromise their privacy because we narrow the questions that they might find relatable.
Today, many available services make authentication integration seamless.
Please implement a proper two-factor authentication flow instead of compromising your users’ privacy.
And next time someone asks me what my favorite dish is, it’ll be something like