Saturday, February 27, 2010

Is KBA a Solution or a Problem?

Is KBA (Knowledge based authentication) a solution or a problem?

Depending on how it is implemented, KBA can be either.

There follows a slightly edited transcript about knowledge based authentication (KBA) that you may find illuminating. I'll bottom line the bottom!

------------ original question

"I just got off the phone with [client]. They wanted to speak about password resets for access to [database] which is protected customer [data]. They’re regulated on improper access to this data and the issue has become higher profile at the company since the HP Board of Directors pretexting scandal.

We had a good call and I was able to answer all of their questions except this one: What kinds of proofing questions are asked in audited password reset scenarios to protect valued data?

We discussed alternatives to automated reset on the site for higher assurance (such as a phone call from the registered device of record, speaking to a human, out of band via USPS, etc.) We also discussed closing the control and audit loop through notification of access/change (via phone, email, or USPS) – so this is really just a question about the questions.

Specifically how many questions is a good threshold and what kinds of questions should be used?

Suggestions were:

Mother’s Maiden Name
Street grew up
City born in
Favorite color, movie, book
Pet’s name

Do we have any information on this? Know of any good references towards research I can point them to?


------------ First reply

I replied to this first

I don't like these questions personally or professionally.

It feels I'm being asked to give out still more personal information in order to protect my personal informationl. What's wrong with this picture?

I recommend letting the user define the questions and answers, and advising the user to put in something and completely valueless that he/she can easily remmeber, but never to user the same one twice at any site and not to put any personal information into the q/a. And then protect it as senstitive informatoin anyway.


----------- Reply 2

And then my reply was skewered by the following comment...

…and then write down all of the questions and answers so that you have some idea how to answer all of the questions….and then keep that list with your computer for easy reference…..


E. is quite correct, when I use the personal whimsical stuff I usually have forgotten months later - what was I thinking! (or what was the syntax!). Anyway I do write it down...but then I sometimes lose the lists. I think I have a better system now but can say no more for reasons of personal security :-)

------------- Reply 3

More commentary follows.

"SSN and mother’s maiden name are two of my pet peeves – these in particular should never be included in the list. I’ve been suggesting using voice biometric authentication to sidestep this whole issue of self service question and answer content


This may just be a good idea. If the voice matching software works, scales, and the users all have microphones everywhere they go, attacks on this might be relatively difficult...

But wait -

----------------- Reply 4

"All of which is precisely why my recommendation is that the business should use information which it already has (e.g. recent bill amount, etc...) - so that it’s not digging for more information and it’s not requiring you to make up something which will be hard to remember.


----------------- Reply 5

M. agrees and provides a good bottom line to the whole issue

"Ultimately, the quantity and nature of KBA questions are like password construction rules – interesting, but maybe have little value from a security perspective. The answers may be easily guessed and administratively known. Applications requiring lower identity assurance may be well-matched with KBA, though.

For applications requiring higher identity assurance, dynamic KBA (non-administratively known questions like last deposit amount in bank account) and OOB identity proofing are better.


OOB = out of band. I think M. means that at this point the password reset (or other) system would go to 3rd party to proof the user's identity. This third party could be a credit bureau or some service plugged into credit bureaus, for example. More expensive but perhaps the only option if the site is not itself a bank with lots of transaction history on the user...

Bottom line
- KBA as often implemented with mother's maiden name is a joke
- KBA that digs deeper into less obvious (but still guessable) personal information is slightly better but creates privacy problems
- KBA with voice authentication may be a good idea, but there are problems with it, and the group didn't come to consensus
- Using administratively known information like recent transactions seems to be the safest approach