Google has published the results of a study that found security questions (or challenge questions) used for online account recovery are next to useless. To distill it down to a single sentence, security questions, "suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both."
For instance, 19.7 percent of English speakers have the answer "pizza" for their favorite food. That means an attacker can guess that particular answer 1 in 5 times and be right. With just one try. In the Arabic world, ten guesses would give an attacker a 24 percent chance of getting your first teacher's name.
Stepping it up a notch, an attacker on a Korean speaker's account would have a 39 percent chance of guessing their favorite food with ten guesses, and a 43 percent chance of guessing their city of birth.
That is what we in the business call sobering.
On the other end of the spectrum, more difficult questions have a high failure rate, making them useless for account recovery. Only 22 percent of users can recall their library card number, while only 9 percent of users can recall their frequent flyer number. And that assumes these folks could have looked at them in their wallets or files before entering.
Here's an infographic from Google with lots of interesting factoids from the study:
(Click or tap for a larger version.)
(If that's still not big enough, there's a naked version of the image.)
Google didn't go into this specifically, but the study looked at the efficacy of random attacks. If you were the subject of a deliberate attack by someone who had profile information on you, security questions will almost surely let them get at your accounts.
Google's near-term answer for account recovery and security is to ditch security questions and go with two-factor authentication using phone numbers, text messages, and/or backup email addresses. The company encouraged its own
product users to keep their accounts updated with current information, and it also encouraged third party site operators to ditch security questions.
Both of which seem like excellent ideas. Get to it.