A new study by Google's security team discovered that Google accounts' security questions are often too easy or too hard to remember.
Google's study reviewed "hundreds of millions" of security questions for user account recovery. They were not secure or reliable enough to be a standalone "account recovery mechanism." Questions that were too easy to remember were too easy for online attackers to guess. Meanwhile, questions that were too hard to recall and users tend to forget them. Few questions were between the two extremes.
For example, about 20 percent of English-speaking Google users answered "pizza" for the security question about a user's favorite food, according to Tech Crunch. Also, in countries with very high metropolitan populations, good hackers can often quickly guess correctly their city birthplace.
Google also learned that Google users often gave the same answers for multiple questions. This was true even when the true answers were completely different.
A grand total of 40 percent of English-speaking Google users in the United States totally forgot their security questions. For instance, only 9 percent of users remembered the valid answer to the question about their frequent flyer membership number.
The study revealed that people often forgot certain answers as time passed. The success rate for answering the favorite food question correctly was 74 percent after one month, 53 percent after three months, and 47 percent after one year, according to Tech Times.
It might seem to be a logical step to add extra questions when the first question is a cinch to guess. While it is more difficult for online hackers to correctly guess two questions, it is also more difficult for the Google user to remember the two queries.
Google researchers shared that secondary email addresses, SMS backup codes, and other methods are more secure authentication. The security questions should be a last resort.
In a Google blog post, the tech company urged Google account users to keep their account recovery information up-to-date.