Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google

We examine the first large real-world data set on personal knowledge question's security and memorability from their deployment at Google. Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords. It turns out to be even lower than proxies such as the real distribution of surnames in the population would indicate. Surprisingly, we found that a significant cause of this insecurity is that users often don't answer truthfully. A user survey we conducted revealed that a significant fraction of users (37%) who admitted to providing fake answers did so in an attempt to make them "harder to guess" although on aggregate this behavior had the opposite effect as people "harden" their answers in the same and predictable way. On the usability side, we show that secret answers have surprisingly poor memorability despite the assumption that their reliability motivates their continued deployment. From millions of account recovery attempts we observed a significant fraction of users (e.g 40% of our English-speaking US users) were unable to recall their answers when needed. This is lower than the success rate of alternative recovery mechanisms such as SMS reset codes (over 80%). Comparing question strength and memorability reveals that the questions that are potentially the most secure (e.g what is your first phone number) are also the ones with the worst memorability. We conclude that it appears next to impossible to find secret questions that are both secure and memorable. Secret questions continue have some use when combined with other signals, but they should not be used alone and best practice should favor more reliable alternatives.

[1]  Muthucumaru Maheswaran,et al.  Feasibility of a Socially Aware Authentication Scheme , 2009, 2009 6th IEEE Consumer Communications and Networking Conference.

[2]  Ross J. Anderson,et al.  Social Authentication: Harder Than It Looks , 2012, Financial Cryptography.

[3]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[4]  David A. Wagner,et al.  Conditioned-safe ceremonies and a user study of an application to web authentication , 2009, NDSS.

[5]  Moti Yung,et al.  Fourth-factor authentication: somebody you know , 2006, CCS '06.

[6]  Bhavani M. Thuraisingham,et al.  Inferring private information using social network data , 2009, WWW '09.

[7]  Serge Egelman,et al.  It's not what you know, but who you know: a social approach to last-resort authentication , 2009, SOUPS.

[8]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[9]  Julie Bunnell,et al.  Cognitive, associative and conventional passwords: Recall and guessing rates , 1997, Comput. Secur..

[10]  Sacha Brostoff,et al.  “Ten strikes and you're out”: Increasing the number of login attempts can improve password usability , 2003 .

[11]  Takahiro Tanaka,et al.  CHI '14 Extended Abstracts on Human Factors in Computing Systems , 2014 .

[12]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via "Secret" Questions , 2009, IEEE Symposium on Security and Privacy.

[13]  William J. Haga,et al.  Question-and-answer passwords: an empirical evaluation , 1991, Information Systems.

[14]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Joseph Bonneau,et al.  What ’ s in a Name ? Evaluating Statistical Attacks on Personal Knowledge Questions , 2010 .

[16]  Joseph Bonneau,et al.  Guessing human-chosen secrets , 2012 .

[17]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[18]  P. V. Oorschot,et al.  Revisiting Defenses against Large-Scale Online Password Guessing Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[19]  Simson L. Garfinkel,et al.  Email-Based Identification and Authentication: An Alternative to PKI? , 2003, IEEE Secur. Priv..

[20]  Markus Jakobsson,et al.  Improved Visual Preference Authentication , 2012, 2012 Workshop on Socio-Technical Aspects in Security and Trust.

[21]  Moshe Zviran,et al.  A Comparison of Password Techniques for Multilevel Authentication Mechanisms , 1990, Comput. J..

[22]  Julie Bunnell,et al.  Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates , 2000, Comput. Secur..

[23]  Mike Just,et al.  Personal choice and challenge questions: a security and usability assessment , 2009, SOUPS.

[24]  Nick Feamster,et al.  Photo-based authentication using social networks , 2008, WOSN '08.

[25]  Markus Jakobsson,et al.  Quantifying the security of preference-based authentication , 2008, DIM '08.

[26]  Stefan Savage,et al.  Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild , 2014, Internet Measurement Conference.

[27]  M. Angela Sasse,et al.  Are Passfaces More Usable Than Passwords? A Field Trial Investigation , 2000, BCS HCI.

[28]  Mark D. Dunlop,et al.  Internet authentication based on personal history - a feasibility test , 2005 .

[29]  Mike Just,et al.  Designing and evaluating challenge-question systems , 2004, IEEE Security & Privacy Magazine.

[30]  Markus Jakobsson,et al.  Love and authentication , 2008, CHI.

[31]  Ariel Rabkin,et al.  Personal knowledge questions for fallback authentication: security questions in the era of Facebook , 2008, SOUPS '08.

[32]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[33]  Sunny Consolvo,et al.  Online microsurveys for user experience research , 2014, CHI Extended Abstracts.

[34]  Ross J. Anderson,et al.  A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs , 2012, Financial Cryptography.

[35]  Markus Jakobsson,et al.  Messin' with Texas Deriving Mother's Maiden Names Using Public Records , 2005, ACNS.