Knowledge Based Authentication fails to deliver
Knowledge based authentication (KBA) has long been used as the backup verification method when someone has forgotten their password. But even if it is regularly in use, it fails to deliver on the identity verification promise.
Static and dynamic KBA
There are two different types of KBA: static and dynamic. Static KBA is a list of questions that have been answered ahead of time by the user. These security questions, or shared secret questions, need to be answered at a later time, like when the user forgets their password.
Dynamic KBA does not require the user to answer the shared secret questions ahead of time. The questions are generated in real-time and require answers that only the user should know, or be able to provide with information they have readily available. This is also referred to as out-of-wallet questions. Examples include security code on the credit card or driver’s license number.
Two reasons why KBA fails
There are two reasons why KBA fails to verify a user’s identity. First, hackers can easily find the answers to the questions online. A simple Google search may reveal your date of birth, pet’s name, and favorite food. This makes KBA a vulnerable way to verify user identity.
The second reason is related to the insecurity of the first as simple questions are replaced with more obscure shared secret questions. Instead of asking your mother’s maiden name, the shared secret could be the furthest place you’ve travelled to. What often happens is that people forget the answers they had previously provided, and can’t prove their own identity.
Whether it’s people forgetting the answers to their shared secrets, or hackers finding the answers online, knowledge based authentication fails to verify a person’s identity.
(Last updated on October 30, 2023)
Security questions have been around almost as long as the Internet and passwords. They are inherently weak and recently both Gartner and the National Institute for Standards and Technology (NIST) have drawn a hard line in the sand concerning them. Gartner declared that self-service password reset solutions need to support additional forms of authentication beyond security…Read More
It is ingrained in our mind that we should create secure passwords. Most times we attempt to create strong passwords that guard our information against hacker attacks but there’s a security hole we often overlook – security questions. For a long time, security questions have been a way to verify user identities when they forget…Read More