Knowledge-Based Authentication: a false sense of security

Knowledge-Based Authentication: a false sense of security

Paul ArdoinAugust 29, 2011, 09:40 am EDT

Whether it’s a self-service system for network password resets or logging into a banking website, chances are you’re familiar with Knowledge-Based Authentication (KBA). This type of authentication asks you questions, and if you answer them correctly, the system lets you in, or lets you reset your password, or lets you transfer $50,000 to an account in the Cayman Islands.

Much like a security gate that people can easily climb, however, KBA makes people feel safe, but doesn’t provide very much real security. Financial institutions, content providers, and IT departments don’t create questions that are secure enough. People often post their favorite restaurants, their birth cities, and their pet names on their blog or Facebook page. (Paris Hilton famously had her account hacked because her security answer was her dog’s name–and the dog had only appeared in the tabloids about 100 times!) Security expert Mike Masnick was able to easily hack Sprint’s KBA on the first try for one of the employees in his office.

The worse news for companies is that these systems are perceived as user-friendly, but they’re really not. IT professional Garry Scoville created KBA guidelines (used by some huge brands, like Delta Airlines, American Express, and others) and ranked some of the best security questions used today, most of which are simple, memorable, hard to guess, and static. But none of these questions are perfect, and worse, users think many of those questions are creepy, overly invasive, or rude. A commenter on one security blog says that all his answers to those security questions are a vulgar rephrasing of “mind your own business.”

So if KBA isn’t secure, and if it’s making users angry, why do 90% of banks use it (according to one security vendor)? Should more strong authentication options make the short list for consideration?