Burton Group Identity Blog

Blogger: Mark Diodati

At Burton Group, we speak about identity proofing as essential for a reliable identity infrastructure.  I discuss identity proofing in my January, 2007 P2P Identity Proofing blog entry.  I would take a sufficiently identity-proofed password over a poor identity-proofed smart card any day.

Knowledge-based authentication (KBA) permeates most identity systems today, and is the default identity proofing technique in IdM.  The problem with KBA is that the answers are generally easily guessed by a fraudster.  The result is that KBA is probably not a good choice for stronger authentication systems (for example, smart cards and one-time password devices) and applications allowing material monetary transfers or access to private data.  I don’t want to dismiss KBA completely.  I’ve spoken to some customers that have implemented KBA for employees with the right internal controls (for example, encrypting the answers and auditing identity proofing transactions) and the right level of access (these accounts can’t access the secret recipe or move money around).

What can be used in lieu of KBA in an online scenario?  One option is what I call dynamic KBA.  Dynamic KBA pulls questions and answers from information sources like public records, credit reports, and perhaps the employee’s last pay stub.  The answers are generally much harder to guess and unknown by system administrators.  Another option is out-of-band (OOB) identity proofing.  One OOB identity proofing technique is calling the user at a phone number of record via an automated service, and then reading a “vouch code” to the user.  The user enters the vouch code into the online application to prove his identity.

So, how does adequate identity proofing relate to EMC/RSA’s acquisition of Verid?  Verid provides dynamic KBA services, which complement EMC/RSA’s existing consumer authentication products.  Given the escalating level of identity theft and consumer fraud, the use of “plain ole” KBA for users accessing private information and moving material amounts of money is not sufficient.  If RSA can integrate the Verid technology in a holistic manner with its consumer authentication offerings, the acquisition is a good thing.

The consumer authentication market does not suffer from a lack of dynamic KBA and OOB identity proofing solutions.  However, many financial institutions interested primarily in compliance with the FFIEC authentication “guidance” have not implemented better identity proofing because the guidance does mandate the use of these techniques.  I hope that more financial institutions and other organizations implement better identity proofing.