Security questions being too easily compromised

29 March 2017

Security questions are too easily compromised, according to the National Cyber Security Centre (NCSC) but biometric and blockchain solutions are being trialled.

Security questions are widely used as a form of authentication, especially as a backup if you forget your password. But research suggests authentication systems are not as robust as they should be.

Many companies rely on personal questions to reset online account passwords. But security questions like ‘What is your mother’s maiden name?’ or ‘What is your favourite colour?’ can be easily researched or guessed by cyber criminals, especially given the widespread use of social media.

Analysis by Microsoft found that personal questions of the type used by major web services like AOL and Google can be easily guessed - using popular answers, researchers guessed 13% of the answers within five attempts. Researchers have even built algorithms that can deduce personal passwords by using leaked information available to hackers – they successfully guessed an average user’s account password 73% of the time.

NCSC warning

The UK NCSC recently advised organisations to carefully consider if security questions offer enough protection.

The NCSC warns that even dynamic questions – like ‘What is the current balance of your account? or ‘Where did you last use your credit card?’ are not as secure as they seem. If the range of likely answers is narrow, criminals may be able to guess the answer. 

Password security and authentication remains a big issue. Some 80-90% of data breaches involve the theft of security credentials which seems to suggest that passwords are not all that effective.

The NCSC questions whether companies should use personal questions as a form of authentication, especially for critical services. While there are advantages to using security questions, they are only likely to deter a casual opportunist. They are not a barrier to a more determined cyber criminal.

Alternative solutions 

However, technology may provide new forms of authentication that could eventually make passwords history.

The NCSC, for example, is looking to stimulate the development of alternatives to passwords, using government services to trial new techniques, ranging from facial recognition to smart watches.

The government is also developing an online identify system, Verify, which uses independent suppliers like banks and credit agencies to authenticate users digitally. They aim to have 25 million Verify users by the end of 2020, although the system currently has just 1.1 million registered users.

Biometrics to blockchain

Fingerprints or iris recognition and even heart rate authentication are also alternatives, while one-off random temporary codes sent via SMS are another option.

Last year MasterCard announced plans to authenticate transactions using facial recognition ‘selfies’ and thumb-prints. Visa is also looking to develop an app that uses multiple biometric methods to by-pass the need for passwords. 

Blockchain technology could also offer a solution to password-less authentication. A group of Canadian banks are working with IBM on an app that uses Blockchain technology to provide a digital identify service to enable consumers to verify their identity to retailers.  The effectiveness of passwords and security questions is a pervasive issue and for now there is no easy answer.

Technology may help inthe future, but there are some steps that organisations can take to improve the security of passwords now, as well as protect themselves from data breaches through insurance, such as enabling two-factor and biometric authentication when possible, particularly when offered by a technology provider at no cost.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on



Find out more

Read our Cyber Risks & Insurance Insights

Read more

Receive our monthly cyber risk newsletter