Strengthening knowledge-based authentication with graphical passwords
User authentication is a necessary component in any digital security process. Whether it’s a password to an online account, or answering a security question when the password fails, we are all familiar with the verification process carried out via knowledge-based authentication (KBA).
The success of KBA is contingent on the user actually memorizing the secret (i.e. Password or PIN). When we inevitably fail to recall a password, the usability of KBA suffers, even more so if the password recovery process is cumbersome. In scenarios where KBA is the sole authentication factor, its appeal further deteriorates in the face of user impersonation and data breaches.
Despite its aforementioned shortcomings, KBA remains a contender in the authentication process thanks to its familiarity, and minimal investments requirements. With that being said, is there an opportunity to improve the user authentication process while still leveraging KBA?
Graphic passwords solve the KBA usability issue
Graphic-based passwords are a potential alternative to the traditional text-based approach. Classic cognitive science experiments indicate humans have an almost limitless memory for pictures. Simply put, it’s easier to recognize a previously seen image, than a random string of characters. If graphical passwords solve the usability issue, they might also aid the security story. If the authentication secret is easier to remember, users are less likely to partake in poor security practices such as reusing them across multiple applications, or writing them down.
Graphical passwords fall into two categories: recognition-based and recall-based. In a recognition-based authentication scheme, the user must identify an image they have previously seen. In a recall-based authentication scenario, the user must reproduce something they have created. Take for example the android unlock screen where the user must reproduce a drawing on the screen grid.
In comparison to text-based passwords, graphical passwords are less vulnerable to dictionary and brute force attacks. However, their memorability makes them weak against shoulder surfers. In a recent online experiment, 1,173 participants watched videos of people unlocking their phone. Mimicking the shoulder surfing technique, the participants attempted to determine the authentication input. The participants were able to correctly copy the Android password 64% of the time. The six-number PIN was deemed most resistant against shoulder surfing attacks.
Multi-factor authentication is the answer to KBA security
In user authentication scenarios with multi-factor authentication (MFA), KBA secrets can satisfy the “something you know” requirement. As we learned above, KBA doesn’t have to be limited to text-based passwords, or security questions (in fact, you’re probably better of getting rid of security questions altogether). The combination of graphical passwords with something you are (fingerprint), or something you have (smart card) strengthens usability and authentication security.
We’re kicking off cyber security awareness month with a very special blog post! Our resident IT pro Darren James is with us to discuss organizational security, and what you can do to protect your infrastructure in today’s threat landscape. What are some of the security concerns businesses face today? Data loss is a huge topic now!…Read More
We recently ran a meme contest on Spiceworks asking IT administrators and support staff to create a password related meme that captured their password management challenges. I’ve taken the liberty of including some of these throughout this article. With over a 100 memes submitted it is quite evident that end users continue to make poor…Read More
Knowledge based authentication (KBA) has long been used as the backup verification method when someone has forgotten their password. But even if it is regularly in use, it fails to deliver on the identity verification promise. Static and dynamic KBA There are two different types of KBA: static and dynamic. Static KBA is a list…Read More