Security Questions: When a Wrong Answer Is Actually Right

You know those fun questions on social media, like “If your superhero name was your mom’s maiden name + your dad’s middle name + the name of your first pet, then what would it be?” Or what about those quizzes that can guess which city you should live in based on a few personal questions? Those seem harmless, right? You do the quizzes or share your answers to the questions in the comments and then you forget about it. But what happens afterwards? Who sees your information?

The simple answer? Bad actors who would love nothing more than to use your “superhero name” to bypass your security questions. What security questions, you ask? The ones that are part of your login process to your bank account, email account, or other personal and professional secure systems. Security questions are a weak form of multi-factor authentication (MFA) offered by several companies across the internet. Fortunately, companies know it is best practice to use MFA when asking customers/members to log into their systems, as it makes it more difficult for bad actors to compromise your account. Unfortunately, too many companies have taken the path of least resistance when it comes to creating options for security questions. This is leading to a level of predictability in the default questions made available to you. See if any of the following questions ring a bell:

• What is your favorite food?
• What’s your dad’s middle name?
• Who was your childhood best friend?
• What was the name of the street you grew up on?
• What’s your mother’s maiden name?

They should ring a bell, as these are the typical options you find when setting up your security questions. If the answers to these questions are the last thing standing between your bank account and a bad actor, then your account may not be as secure as you think. How many of those “harmless” quizzes and questions on social media have you participated in? How many answers to your security questions are already out in the world for bad actors to use?

The most obvious solution would be not to choose the easiest or most common security questions to answer. However, human nature likes to find a way for us to take the path of least resistance in most activities. This not only shows up in the selection of security questions, but also in the creation of passwords. How many of us know someone who likes to use their pet or child’s name or, even worse, just uses the word “password” for their passwords? So, if given the choice between “What is your pet’s name?” and “What was the color code for the paint on the walls of the first bedroom you slept in?”, which one are you going to pick? Yep, you’ll choose to put your furry friend’s name in as an answer and be done with it.

So, instead of making the question more difficult for you to answer, make the answer more difficult for the bad actor to figure out. Make your answer wrong. And not just wrong, have the answer make no sense in relation to the question. For example, if the security question is “What was the name of your childhood best friend?” your answer could be “Winston Churchill.” For “What is your favorite flavor of ice cream?” your answer could be “cough medicine.” Odds are that no one reading this was actually childhood friends with the former British prime minister, and I really hope no one’s favorite ice cream flavor is cough medicine. These wrong and nonsense answers will better protect your accounts from bad actors trying to gain access. Additionally, you can participate in all the social media quizzes and questions you want, safe in the knowledge that all the personal information you give out will not answer any of your security questions correctly.

Now, clearly you will need a very good way to track all these incorrect answers. I recommend a good password manager to help keep track of all of this. A good password manager will not only keep track of your incorrect answers to your security questions, but it will also help you build and keep track of all your long, randomly-chosen-character passwords that make no sense either. Some will even store your answers and passwords with their corresponding websites, and even automatically login for you so you don’t have to type out your long and complex passwords.

If you don’t want to answer security questions incorrectly, and the website or system allows, you can always try to create your own security questions. If you do, make sure the questions are easy for you to answer, but so specific they cannot be guessed. Well-crafted security questions should be so intimate that no one but you knows the answer. So, as an example, create a question like “Where do you hide things at home from your significant other?” or “Who is the person you dream about that you are too embarrassed to share?” These types of questions are very hard to guess and not the sort of thing social media quizzes would prompt you to share. It is worth noting though, the answers to your security questions, even if they are wrong, could potentially be guessed.

In the information security world, there are three forms of authentication factors: Something you are, something you know and something you have. Something you are would be a characteristic specific to your biometric makeup such as your face, fingerprint or voice. Something you know would be information like your password or Social Security number. Something you have would be an item in your possession like a token or an ID. As the name implies, you would need to have two forms of authentication for it to qualify as multi-factor.

While MFA requires you to have two factors, it does not force you to have two different factors. For example, a password is always part of the login process, and it falls into the category of something you know. However, when you utilize security questions, they also fall into the same category as passwords … something you know. And as we have already discussed, these security questions tend to be predictable and easy to find the answers to. Companies use the same list of 10 or so questions, and your answers can be exposed during phishing attempts or even those social media questions and quizzes. Therefore, if you want to take your account login security to the next level, and it is an available option, you may want to consider 2FA instead of MFA.

Before, we talked about the different factors of authentication and how MFA required at least two, but it could be two of the same type of factor. 2FA works similarly but requires you to use two different factors. During a login, you will be prompted for your password, something you know, and numeric code generated from a soft token like Google Authenticator, something you have. And since only you will have the something you have, this type of authentication provides an additional layer of security by stopping a bad actor from getting any further than your password.

So, the next time you see those social media questions enticing you to find out your superhero name or those quizzes tempting you to find out what color hair you should have, you can freely participate without worrying about giving away the answers to your security questions. And, if given the option of MFA and 2FA, choose 2FA, as it is the stronger and more secure option. However, if MFA with security questions is your only option, make the most of it. Answering these questions incorrectly may be the first time a wrong answer is actually right.

Mike Bechtel is Information Security Analyst for the $5.2 billion Vizo Financial Corporate Credit Union in Greensboro, N.C.