« What Are Burton Group IdPS Customers Asking About? | Main | Ball of Confusion: The Privileged User »

May 29, 2009

Can We Finally Commit to the End of Knowledge-Based Authentication?

Blogger: Mark Diodati

Since 2005, Burton Group has discussed the dangers of static knowledge-based authentication (KBA) for identity proofing. Identity proofing steps are the organizational processes to authenticate the user when their primary authenticator is not available. Identity proofing is used throughout the authentication lifecycle, including onboarding/account origination, emergency access, and authenticator re-enablement (e.g., password reset and one-time password unlock)  You can check out our posts on P2P identity proofing, EMC’s acquisition of Verid, and another post on KBA

Static KBA systems utilize a non-changing set of easily-guessed or self-selected questions to prove a user’s identity at these authentication lifecycle milestones. The problem with KBA is that the answers are generally easily guessed by a fraudster. We now have some scientific data on the feebleness of static KBA. Robert Lemos at Technology Review has written an excellent article on the work of researchers from Microsoft and Carnegie Mellon University:

“In research to be presented at the IEEE Symposium on Security and Privacy this week (May 18), researchers from Microsoft and Carnegie Mellon University plan to show that the secret questions used to secure the password-reset functions of a variety of websites are woefully insecure. In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.”


Amen.

Let’s hold our financial services organizations to a reasonable standard. Static KBA should never be used to authenticate the holder of an account which has material access to confidential data or financial transactions (language similar to the FFIEC guidance on multi-factor authentication has been used here on purpose). Let’s put an end to static KBA for these use cases (preferably for all use cases), and move to stronger technologies for customers who have an existing relationship with financial services organizations.  A variety of technologies are available; out-of-band (OOB) identity proofing is much stronger than KBA and should be the strategic future direction of identity proofing for these use cases. Dynamic KBA is stronger than static KBA, but it’s probably not strong enough in the long term; any technology which depends on public information for authentication will eventually fail in the age of Google.

While we’re at it, let’s look beyond password-based authentication for important updates to accounts.  If I want to change the phone number from which I perform banking transactions, the bank should do some background investigation to make sure the new phone number isn’t associated with known fraud.  The risk analytic engines from the consumer authentication suites exist to perform this function; they ought to be used.

Posted by Burton Group IdPS at 10:01 PM in KBA |

|

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83420ad7a53ef011570b12cac970b

Listed below are links to weblogs that reference Can We Finally Commit to the End of Knowledge-Based Authentication?:

Comments

The comments to this entry are closed.

  • Burton Group Free Resources Stay Connected Stay Connected Stay Connected Stay Connected

Categories



Read more Burton Group blogs

Blog Roll

Archives

More...

About

Blog powered by TypePad