Is that a thing? Yes, it’s a thing. Recovery question attacks are a terrible extension of the downgrade class of attacks. When signing up for websites, they require you to create multiple “recovery questions” and/or answers. You can’t complete the initial account setup without agreeing to use and populate the answers to those questions. These recovery questions often include questions such as “Mother’s Maiden Name,” “Father’s Middle Name,” “Favorite Teacher,” “First Car,” and so on.
You’re probably wondering what the problem is with this method. There are several problems.
- Some recovery questions can be guessed on the first try 20% of the time
- 40% of people were unable to recall their own recovery answers successfully
- 6% of answers could be found in a person’s social media profile
It is essential to point out that Google, Microsoft, and other vendors who understand how lousy recovery questions are for authentication no longer use them. If your MFA solution allows less secure alternative authentication methods, your authentication is only as strong as the weakest method.
The solution is never to use them if you can avoid them. If recovery questions are required, never answer them correctly. Instead, makeup something similar to a long password, using combinations of letters, symbols, and numbers. Make it unique for each recovery answer, never repeating an answer or using an existing password (of any account), and store it in a password manager or a “representative” form elsewhere.
Sometimes you can’t avoid using the recovery answers method. Still, you can make it difficult for anyone else to figure out, providing an additional layer of protection on your online accounts.
Source: (KnowBe4) 12+ Ways to Hack Multi-Factor Authentication by Roger Grimes