When is “Knowledge-Based” not Assured Authentication?
Knowledge based authentication (KBA) has been declared dead many times over the past few years. But what is KBA and what exactly is the problem? KBA is a term that has been used too generically across the identity universe and different providers get away with using the term to refer to vastly different levels of security.
Most providers use KBA as part of the authentication process to handle the "what you know" element of "what you know, what you have, and who you are." At the most basic level, KBA is attempting to assert someone is who they say they are by asking them questions. Unfortunately the types of questions asked during knowledge based authentication are not uniformly defined or implemented.
Assurance refers to the level of confidence you can put in the authentication. Levels of assurance in government usually refer to the assorted elements that have to be verified in an authentication process to confirm identity. In the commercial space there is less clarity on ensuring high assurance and most large entities leave it to their identity manager to manage this. The problem is that identity managers aren’t clear on KBA themselves.
The “murkiness” is that knowledge based authentication and the questions asked can be based on either an explicit secret, an implicit secret, or an “out of wallet” secret.
Think of an explicit secret as the classic “shared secret” between an organization and an individual. The concern with this classic form of identity assurance is the proliferation with social media. If a fraudster has an iTunes password, then too often they also have the amazon password, the ebay password, passwords for many social media sites. A favorite band, current car, and past employers are all on those sites. If security isn’t set up right, the password isn’t even necessary to get these details.
Shared secrets are a set of questions that have a defined set of answers, with no deep data set to draw from. The correct answers to these questions are pre-populated by the user. By only being a single set of maybe six questions and answers, it is easy enough for hackers to social engineer the process, pulling answer to the known set of questions from a quick Google search.
Using shared secrets to securing a consumer portal might make sense, but an administrator’s access needs a more stringent level of KBA. Top access levels have to be assured with something search-engine proof that isn’t in the public discourse like a tax lien, house purchase, or marriage record. It has to be a deeper set of secrets that is only known to the person being identified.
Many institutions are turning to implicit secrets, the behavioral actions an individual takes with that institution. While a better approach, it only protects the members who have long history and do a considerable amount of business with the individual. The financial services industry knows this well. In 2009 the American Banker’s Association found that a quarter of fraud happened on new accounts, with regional banks having 87% of fraud happen in the first 90 days. Things haven't gotten much better since then. Without the history to ask good questions, this kind of fraud can’t be combated.
The real solution is to find a source for questions that is almost exclusively reported, very accurate, and very deep, capable of asking a wide range of questions from multiple different industries on a corroborated view of the American public.
If you are interested in empowering your KBA with high assurance, read more about how differentiated data assets derive the highest levels of assurance across the widest population set.