Account recovery questions were intended as a backup verification step. A user setting up an account would select a question (mother's maiden name, street where they grew up, name of first pet) and provide an answer. If they later lost access to the account, the question would confirm them.
The questions have become a parallel identity record. The answers are, in many cases, derivable from the public record. Mother's maiden name is on the birth certificate. The street where someone grew up may be in old census data or directories. The name of a first school is on social media congratulations from former classmates. The answers function less as secrets than as identifiers held by both the user and anyone who knows where to look.
When account recovery information is leaked (through breaches of services that stored it, or through compromise of individual accounts) the leaked answers become part of the background record. A persistent attacker, attempting to access an unrelated account, can attempt the same answers and often succeed.
The answers are also identifying in their own right. A user whose recovery answer for one site is a particular childhood address is the same user whose recovery answer for another site is the same address. The cross-account linkage is direct.
· · ·
Better recovery infrastructure exists (hardware tokens, recovery codes printed and held offline, trusted device confirmations). Where it is offered and used, the older recovery questions can be removed or replaced with non-answers. The desk reads the surrounding state of a client's recovery information where it bears on the work, and recommends improvements consistent with the rest of the position.
More from the desk
Verification fatigue, and what it produces
When a relative is named in a record
The shooting estate and its records
Protecting collectors and the things they hold
The register of beneficial owners, country by country
Why staying offline is not the same as being private