So the big question is - is it actually safe for your employees to use security questions as a way to authenticate or recover account access? The short answer is no, it's bad for business. Below we examine why, and what you can do about it if it's already prevalent in your business.
“What city were you born in?” and “What is your father’s middle name?” when asked together block 99% of attackers with 10 attempts from gaining access to secure online accounts, but can employees in your company remember what they put as the answer? Apparently, 41% cannot.
Using security questions for authentication is common practice for many applications, but their effectiveness has been called into question by a report published by Google’s research team. The report states that 19.7% of English speaking users will answer the common security question "What is your favourite food?" with “pizza”, and harder to guess questions like "What is your frequent flyer number?" have only 9% recall rates.
Do Your Employees Use Security Questions?
With the widespread adoption of cloud-based applications over installed software for everyday business practices, employees of businesses of all sizes will be using security questions for authentication, presenting a significant threat to data security. Often there is no central management for authentication within an organisation, and while passwords are changed to prevent ex-employees gaining access to company systems, verification for password recovery is often overlooked.
If the applications and systems within your organisation have an account recovery feature, there’s a reasonable chance your employees would use security questions if they forget their log-in information.
It can be difficult to know the extent to which security questions are used for authentication in your business; native mobile apps, VPNs, 2FA tokens, browser-based apps, all have a login interface designed and controlled by a third party, and many of them could use security questions for account recovery.
The Business Risk
The risk of security questions goes deeper than common answers to certain questions. The poor recall rates of this information mean that, according to the aforementioned study by Google, 37% of people intentionally provide false answers to these questions, and many of the false answers end up being the same, making them vulnerable to savvy attackers.
They also make your system especially vulnerable to insider threats, as employees are likely to know personal details about colleagues, or could ask in friendly conversation without raising suspicion.
The Palin Hack
In 2008, American vice-presidential candidate Sarah Palin’s email account was accessed by a hacker. The password reset feature required her birthday, ZIP code, and where she met her spouse for authentication. All this information is easily found online, and the attacker reportedly bragged about how easy it was on 4chan. This is a real world example of security questions failing as an authentication method. While not everyone’s personal details are as widely known as a prominent politician, key information can be easily obtained by anyone who associates with your employees, both within and outside of the work environment, and is sometimes available on public facing social media profiles.
What's the Alternative?
Wherever possible, whether it’s improving log-in systems for your own technology, or managing use of third party services and internal systems, account recovery using security questions should be avoided in favour of using SMS text or a secondary email account for verification. Reset codes show a 75%-80% recall rate, against an average of 40% recall for security questions.
Where security questions are unavoidable, treat it as a backup password and use a string of randomized characters as the answer, no matter what the questions. This “backup password” can be securely stored in your company’s Single Sign-on or Secure Password Vault system.
Audit Your Systems
If you suspect prevalent use of security questions for authentication is a serious risk to the integrity of your security, you should consider a full audit of your systems to determine the breadth of exposure across internal and external applications. The audit should have an emphasis on logical security and vulnerability to attacks using security question authentication.