It's funny how, as soon as you are preparing to start marketing a new solution, you find so many faults in old ones. On this note, Google security researchers have recently posted a blog entry in which they proved how inefficient security questions actually are. The company's officials presented their findings at the World Wide Web conference which took place in Florence, Italy. But as far as I know, they neglected to mention how this little detail managed to escape them all the years while they've been using this method.
According to the study, most of the answers we give to the security questions are pretty easy to guess for hackers and if you choose a smarter answer, it's very likely that you will completely forget by the time you have to use it. The research has shown that questions like "What's your favorite food?", "What's your mother's maiden name?" or "What's the name of your pet?" either have common answers or are easy to solve by checking your previous social media posts. For example, somewhere around 20% of users wrote that pizza is their favorite dish.
What's actually interesting (and also a bit annoying) is that even our clever answers aren't as great as we think them to be. The research has proven that so many people choose the same false answers that they're easier to guess for hackers than the true answer. Moreover, Google researchers studied what would happen if websites opted to use two security questions instead of one. While it would make it a lot harder for hackers to quickly bypass this security measure, actual users would also have a major problem as only 59% would be able to repeat their original answers. Writing the answers down seems like a possible security breach waiting to happen, so it's not really a viable solution.
In conclusion, Google's security researchers recommend that both websites and users adopt backup SMS codes (2-factor authentication) to increase the security of their data.