Elie Bursztein and Ilan Caron of Google, in May 2015 (via Michael Tsai):
[Despite] the prevalence of security questions, their safety and effectiveness have rarely been studied in depth. As part of our constant efforts to improve account security, we analyzed hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google. We then worked to measure the likelihood that hackers could guess the answers.
Our findings, summarized in a paper that we recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember — but rarely both.
A few years ago, I began using a random password generator to create answers to security questions, if they’re required to create an account somewhere. But even that level of protection is rarely enough, especially when nefarious parties almost never attempt to brute-force a password or security question, especially when a human phone operator is so much easier to fool.
So, security questions are typically either easy to guess or hard to remember, yet it’s usually more straightforward to utilize the weakest link in the security chain — consistently people. What are they good for? Phasing them out was the right move for Google.