The Problem
We have all been there, you forgot the password to that website you rarely use. What was it again? You do not remember so you click on “Forgot Password.” That is where you are met with infamous questions like “What is your mother’s maiden name?” “What was the name of your first pet?” and “What was the make and model of your first car?” These questions are a part of knowledge-based authentication (KBA). It’s a security protocol where users are asked to answer at least one secret question for self-service password retrieval.
Good KBA questions should answer the following four requirements:
- The question should apply to a large segment of the population.
- The answer to the question should be easy to remember.
- The question should only have one correct answer.
- The answer should not be easy to guess.
When you think about it though, are these questions really that safe? Fraudsters could easily access your accounts online by simply knowing the answers to your KBA questions, which these days can most likely be found on social media. Social media usage rapidly evolved over time; Facebook alone reached 50 million users in 3.5 years after it’s introduction in 2004 (IDMERIT). Knowledge-based authentication has not been able to keep up with this type of online growth. To strengthen KBA and make it work in today’s day and age, new technologies need to be incorporated into KBA measures to address its vulnerabilities.
What is Static KBA
Static KBA is a method where you pick security questions and give answers that are stored and referenced later for password retrieval. In this type of KBA, users control what questions are selected for future use and what the answers are.
Typical static KBA questions include, “Where did you spend your honeymoon?” or “What is your favorite food?” This type of authentication is inherently flawed though. It relies on the user choosing to keep the answers to these questions a secret, and more often than not they are not a secret. If someone chooses to share a lot about themselves on social media, this increases the vulnerability of these types of passwords as well.
Another problem is that the types of questions that are asked are not static. Questions that use the word “favorite” are frequently used and yet favorites change over time. Investigator Anne Diebel discussed how Google discovered this trend. She stated, “A 2015 study by Google engineers found that only 47% of people could remember what they put down as their favorite food a year earlier—and that hackers were able to guess the food nearly 20% of the time, with Americans’ most common answer being pizza…Even when people remembered their answers, sometimes they forgot the precise form [they entered the answer.]”
Plus, some questions are easy to answer. Questions like “What is your favorite color?” can typically be answered in 8 answers or less. This means if a fraudster is trying to break into an online profile they will be able to fairly easily, assuming the website does not contain lockout functionality in its KBA procedures.
What is Dynamic KBA
Dynamic KBA goes beyond the capabilities of static KBA. It generates questions that apply only to the intended end user and does not require a previous relationship with the consumer. The content of these questions is typically generated from information from a person’s public records or credit history. The idea is that dynamic KBA uses information accurate for the user in a way static KBA cannot be, using more private and less commonly available information that will not be forgotten by the user.
Examples of dynamic KBA questions include “What was your street address when you were 10 years old?” or “How much money did you spend at the grocery store last week?” These questions can be answered with thorough research, but that takes time. Typically if a dynamic KBA question is not answered within a certain time period it is discarded and treated as a wrong answer. Furthermore, administrators can set a minimum score for success when answering dynamic KBA questions and determine when more questions should be asked to the user.
Is Dynamic KBA the Solution?
While dynamic KBA is an improvement from static KBA, it still is not the best answer for account authentication on the internet. Some argue that dynamic KBA can be cracked, and this is true. If a spouse or someone equally as close to you has access to your public information, then they can hack into your accounts using dynamic KBA questions. This is still much safer than the audience that can hack into your accounts using static KBA questions, but it’s not a foolproof solution.
Moreover, credit report breaches are becoming more common, as noted with the Equifax hack of 2017 where 145 million American consumers had their personal details stolen. A research team devoted to helping secure databases has also uncovered multiple archives containing credit report information as well as marketing databases and that contain information used for dynamic KBA. This means if hackers find this information they can use it to break into consumer accounts protected by dynamic KBA procedures.
What is the Solution?
The question then becomes, how do we keep our accounts safe on the internet? KBA is clearly vulnerable. To combat this, a two-step authentication process must be instituted using biometric technology and knowledge-based authentication.
Why keep KBA around if it does not work though? The reason is fairly simple, consumers are used to it. KBA has been around for a long time and consumers are comfortable answering security questions to access sensitive information. KBA is a low-cost solution for security too which increases its appeal. Plus, many large institutions use it in their authentication processes.
Combining KBA with biometric technologies creates a multi-layered solution for fighting fraud and increasing account security online. The Consumer Technology Association states that 62% of adults in the US have used biometric technology and are comfortable with it. Biometrics such as facial recognition, fingerprint scanning or voice recognition are all ways that consumers can easily verify themselves using nothing more than their mobile phone. New devices are equipped hardware to use biometrics such as cameras, recorders, and fingerprint reading technology.
In a recent study, 86 percent of millennials said they are willing to take a few additional steps to verify their identity when opening an account or enrolling in a new service. Biometric technologies, combined with KBA, can create a secure two-step authentication process for account security.
Conclusion
Two-step authentication protocols need to be implemented to fight fraud and meet our modern needs. Knowledge-based authentication by itself leaves businesses vulnerable to hackers who want to penetrate their systems. With biometrics becoming more and more commonplace, it makes sense to use it as an extra step to secure consumer accounts. Doing this will help businesses protect the identity of their customers, even if it means they have to take an extra selfie when logging into their credit card account.