A research paper from Google has looked into the difficulties of standard ‘forgotten password’ personal information verification.
The paper, entitled ‘Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google‘ examined the usage of personal information to trigger a password reset, and discovered that it presents a number of difficulties, including forgetful users, guessable answers and fake responses.
The study, which according to Silicon Beat covered ‘hundreds of millions of secret answers and millions of account recovery claims’, discovered that a massive 40 percent of American Google users couldn’t remember the answers to their own security questions.
As you might expect, subjective questions like ‘what is your favorite food type’ caused the most difficulties, with 74 percent recalling a month after answering, but just 53 percent recalling the answer after three months, with further deterioration over time.
Lying was also surprisingly common during the password registration process, with 37 percent of those who did claiming to have done so for security reasons. 31.9 percent lied for privacy reasons, and ironically 15 percent did so because they thought their answer would be easier to remember.
The researchers found that the most commonly remembered answers were ‘city of birth’ and ‘father’s middle name’, but the paradox here is that these are the least secure, as cybercriminals could well gather this information about you from a little research. As The Register points out, “the more secure the question, the less likely we are to recall it.”
The fallibility of the ‘secret question’ system is why Google prefers to use email and text messages for account recovery, and the researchers found that SMS success rates were 20 percent higher than “even the most successful secret answer language/population bucket”, while email is 14.5 percent stronger.