It’s Time to Kill the Online Security Question

By

Tata. Honolulu. Stanley. Those are, respectively, Barack Obama's first pet, city of birth, and the first name of his maternal grandfather. I found all three facts with five minutes of Googling. And if President Obama had his online accounts set up the same way most of us do (he doesn't, thankfully), I might have just gotten the skeleton key to his entire digital life.

Security questions are one of the age-old institutions of digital authentication. Their flaws are well documented — answers are easy to guess or look up, they're easily bypassed in the event of a brute-force hack, and companies themselves seem not to take them seriously — and yet, they're still used everywhere. But their role in the hacking of celebrity iCloud accounts to find huge troves of nude pictures should be the last straw. It's time to kill the security question, once and for all.

We don't know yet exactly how the accounts of Jennifer Lawrence, Kirsten Dunst, and other female celebrities were compromised. But it seems clear, both from Apple's statement on the matter and from the stated methods of similar hackers, that security questions played a big role in allowing hackers to gain access to their iCloud backups. To put it simply: In order to pull off most types of hacks, you first need to get a user's password. And although other methods for getting passwords exist (like phishing over email or writing scripts that will try thousands of possible combinations), the easiest way for a hacker to gain access is simply to guess the answers to a user's security questions, and — when he's gotten them right — to reset the password to one of his choosing.

Two caveats to this argument: First, to harp on the systematic flaws of Apple's user protections — and point out the absurdity of its "targeted attack" blame-shifting — isn't to lessen the gravity of the hackers' criminal acts, which may have been possible even under a stronger authentication system. And second, as Mat Honan has pointed out, security questions aren't the only problem with the modern password regime — but they are the most obvious place to start fixing it.

Questions like "What is your mother's maiden name?" and "What is the name of the hospital in which you were born?" are an artifact from the early days of the internet. (It's telling that many of the typical security questions were written in an age in which most women changed their last names when getting married, and it was taken as a given that children were born in hospitals.) Back then, they were used mainly by banks and credit-card companies and were called "out-of-wallet questions," since the answers would be known only to the account holder and not, say, to someone who had stolen the account holder's wallet. 

Even in the good old days, security questions protected users mostly from threats from prying strangers, rather than all possible hackers. (A mugger wouldn't know your mom's maiden name, but your estranged brother would.) But today, in an age when most people's basic biographical information is available online in some form, security questions are fairly useless. As The Atlantic wrote in 2012, a study by Microsoft Research found that users' acquaintances could guess the answers to their security questions 17 percent of the time. Strangers guessed the correct answers within five tries 13 percent of the time.

Celebrities and public figures are particularly vulnerable to attacks based on these questions since so much of their personal information is publicly available. But as Sam Biddle writes at Valleywag, everyone's a potential target — and creeps on image boards like AnonIB have been exploiting security questions to gain the passwords and rip the iCloud backups of non-famous women as well.

Security questions are a form of what's called "knowledge-based authentication" — identity-verification tools that rely on information that is only known by an account bearer. (Another example would be Facebook's odd photo-tag recognition test.) The problem with knowledge-based authentication is that in today's world of widely shared personal information, single-party questions are harder to find. Try to think of one fact about yourself that you, and only you, know. Your favorite food? Your first boss? The location of your hidden tattoo?

Guessing this information wouldn't be hard for your ex, your best friend, or someone who could view your Instagram history, your LinkedIn profile, or your Facebook photos and piece the information together. The security questions that would truly be answerable only by you — "What's your favorite porn site?" "Which prescription drugs do you take?" — aren't the kinds of things you're likely to share with a website.

The standard security question could be improved by allowing users to create their own questions or by beefing questions up with some kind of location data (i.e., to recover your password, type the name of the last foreign country you visited — your iCloud account pulls this information from your iPhone's metadata). But really, security questions should go away altogether. They're so dangerous that many security experts recommend filling in random gibberish instead of real answers — in other words, you're safer having no security questions than using them as intended.

There are all kinds of ways to lock down your most important accounts — Gizmodo's guide is a good place to start. Two-factor authentication (the option to have a one-time code sent to your phone, which you then use to log in to your account in conjunction with your password) is important, even though it wouldn't have helped in the case of the recent iCloud break-in. And, eventually, some advanced form of biometric authentication (fingerprints, retina scans) may become standard, and security questions may get phased out altogether.

But until then, when so many better options exist, there's no reason a company like Apple should be relying on questions like "What was the model of your first car?" for password recovery in 2014. If that's the best way we have of making sure a user is legit, we might as well change all of our passwords to "1234" and hope for the best.