Security questions – authenticating with your worst kept secrets
(Last updated on February 21, 2019)
Knowledge based authentication (KBA) is a form of identity verification with secrets only known by the user. Passwords and security questions are the most common forms of KBA. Their familiarity means that they are the primary use case for many authentication systems.
We’ve already illustrated the inherent weakness of passwords in previous blogs. In this blog we’ll take a closer look at security question as a form of KBA.
Security questions, commonly used in the password retrieval process, are an essential, yet fragile, component of identity verification. According to Google, 16 percent of security questions could be answered using information listed online on public profiles. Worst yet, studies suggest that over 60 percent of criminals can successfully answer these questions using data they’ve already stolen.
Security questions and the IRS hack
The Internal Revenue Service (IRS) hack in May 2015 serves as a cautionary tale. Hackers gained access to taxpayers’ IRS accounts using personal information purchased from underground databases. After successfully providing personal information such as name, social security number, date of birth, they were prompted for security questions. Armed with the stolen information, and an automated bot that guessed the answers with brute force, they were able to access accounts for over 700,000 taxpayers.
KBA and compliance
Security questions are a weak form of authentication. The National Institute of Standards and Technology has put that on record. In NIST’s Special Publication 800-63B, they specify:
- Move away from security questions – systems should not store hints or prompt users for specific information e.g. What was the name of your first pet?
While the recommendation is to move away from secret questions completely, there may still be room for KBA (passwords) in multi-factor authentication scenarios. In addition to a knowledge-based factor, MFA can require a possession factor (e.g. mobile phone) and inherence factor (e.g. fingerprint). This layered approach is a powerful defense against hackers, especially in high risk use cases. With the Payment Card Industry Data Security Standards (PCI DSS) recent MFA requirement for administrators, and remote access, organizations need to prepare for a new authentication approach.
The Payment Card Industry Data Security Standard (PCI DSS) regulates security practices to protect cardholder data. Password compliance plays an important role in the PCI standards by dictating password complexity to strengthen defense against unauthorized access. New requirements coming into effect this January demand multi-factor authentication (MFA) for administrators, and anyone with remote access. PCI…Read More
The new password guidelines from National Institute of Standards and Technology (NIST) are changing how companies and organizations view password security. The guidelines say: Do allow for longer passwords and choosing original secret questions, Don’t allow users to choose a password from a compromised list, or force password expiration without cause. These changes aim to…Read More
Knowledge based authentication (KBA) has long been used as the backup verification method when someone has forgotten their password. But even if it is regularly in use, it fails to deliver on the identity verification promise. Static and dynamic KBA There are two different types of KBA: static and dynamic. Static KBA is a list…Read More