Security questions and answers (aka Knowledge-Based Authentication) are a popular secondary means of authentication for online sites. This talk analyzes the security of actual user choices included in data dumps from three different organizations.
Security questions and answers have become a popular secondary authenticator for online sites. While security professionals have generally dismissed them as a good choice, they don't seem to be disappearing. In this talk, I will share my analysis of actual user security question and answer choices that were leaked through three different database dumps in the past year. I use this real world data to demonstrate where security questions seem to have their greatest weaknesses, and discusses how to steer implementations towards providing better security. For comparison, we will also look at how the statistics from these environments compare to previous academic studies of security questions.