Security questions – authenticating with your worst kept secrets
(Last updated on June 30, 2020)
Knowledge based authentication (KBA) is a form of identity verification that asks users to answer a “secret” to prove their identity before accessing a system. Passwords and security questions are the most common forms of KBA. Their familiarity means that they are the primary use case for many authentication systems.
We’ve already illustrated the inherent weakness of passwords in previous blogs. In this blog we’ll take a closer look at security question as a form of KBA.
Security questions, commonly used in the password retrieval process, are an essential, yet fragile, component of identity verification. According to Google, 16 percent of security questions could be answered using information listed online on public profiles. Worst yet, studies suggest that over 60 percent of criminals can successfully answer these questions using data they’ve already stolen.
Security questions and the IRS hack
The Internal Revenue Service (IRS) hack in May 2015 serves as a cautionary tale. Hackers gained access to taxpayers’ IRS accounts using personal information purchased from underground databases. After successfully providing personal information such as name, social security number, date of birth, they were prompted for security questions. Armed with the stolen information, and an automated bot that guessed the answers with brute force, they were able to access accounts for over 700,000 taxpayers.
KBA and compliance
Security questions are a weak form of authentication. The National Institute of Standards and Technology has put that on record. In NIST’s Special Publication 800-63B, they specify:
- Move away from security questions – systems should not store hints or prompt users for specific information e.g. What was the name of your first pet?
Unfortunately, many organizations still use security questions to verify users who call the helpdesk. Furthermore, questions such as “what is your employee ID” during identity verification are not uncommon. If a malicious actor can answer the aforementioned question correctly, they can convince the helpdesk that they are an authorized user. This will not only give them access to the user’s account, but also sensitive company data.
Specops Secure Service Desk is a helpdesk tool that allows your agents to verify callers with stronger methods of authentication. The tool should be used by an organization who wants to achieve NIST compliance, and enhance their IT security infrastructure.