Security questions – authenticating with your worst kept secrets
Knowledge based authentication (KBA) is a form of identity verification that asks users to answer a “secret” to prove their identity before accessing a system. Passwords and security questions are the most common forms of KBA. Their familiarity means that they are the primary use case for many authentication systems.
We’ve already illustrated the inherent weakness of passwords in previous blogs. In this blog we’ll take a closer look at security question as a form of KBA.
Security questions, commonly used in the password retrieval process, are an essential, yet fragile, component of identity verification. According to Google, 16 percent of security questions could be answered using information listed online on public profiles. Worst yet, studies suggest that over 60 percent of criminals can successfully answer these questions using data they’ve already stolen.
Security questions and the IRS hack
The Internal Revenue Service (IRS) hack in May 2015 serves as a cautionary tale. Hackers gained access to taxpayers’ IRS accounts using personal information purchased from underground databases. After successfully providing personal information such as name, social security number, date of birth, they were prompted for security questions. Armed with the stolen information, and an automated bot that guessed the answers with brute force, they were able to access accounts for over 700,000 taxpayers.
KBA and compliance
Security questions are a weak form of authentication. The National Institute of Standards and Technology has put that on record. In NIST’s Special Publication 800-63B, they specify:
- Move away from security questions – systems should not store hints or prompt users for specific information e.g. What was the name of your first pet?
Unfortunately, many organizations still use security questions to verify users who call the helpdesk. Furthermore, questions such as “what is your employee ID” during identity verification are not uncommon. If a malicious actor can answer the aforementioned question correctly, they can convince the helpdesk that they are an authorized user. This will not only give them access to the user’s account, but also sensitive company data.
Specops Secure Service Desk is a helpdesk tool that allows your agents to verify callers with stronger methods of authentication. The tool should be used by an organization who wants to achieve NIST compliance, and enhance their IT security infrastructure.
(Last updated on June 30, 2020)
New MFA requirements for PCI password compliance
The Payment Card Industry Data Security Standard (PCI DSS) regulates security practices to protect cardholder data. Password compliance plays an important role in the PCI standards by dictating password complexity to strengthen defense against unauthorized access. New requirements coming into effect this January demand multi-factor authentication (MFA) for administrators, and anyone with remote access. PCI…Read More
NIST password compliance guidelines – What they are and how you can meet them
The new password guidelines from National Institute of Standards and Technology (NIST) are changing how companies and organizations view password security. The guidelines say: Do allow for longer passwords and choosing original secret questions, Don’t allow users to choose a password from a compromised list, or force password expiration without cause. These changes aim to…Read More
Knowledge Based Authentication fails to deliver
Knowledge based authentication (KBA) has long been used as the backup verification method when someone has forgotten their password. But even if it is regularly in use, it fails to deliver on the identity verification promise. Static and dynamic KBA There are two different types of KBA: static and dynamic. Static KBA is a list…Read More