Asking users to answer security questions is a common feature of the authentication process. Unfortunately, it does very little to preserve security. Known as knowledge-based authentication (KBA), this approach to identifying end users is easily compromised and is no longer considered a viable authentication method.
Whether it’s based on a static model in which users input answers to questions during account creation or a dynamic approach using random questions pulled from a set of known data about a user, KBA fails to provide the level of protection necessary for modern systems and networks.
Why KBA is On the Way Out
Before the era of big data and widespread adoption of mobile and IoT technology, using questions with answers unique to individual users made sense as a method for verifying identity. In theory, each security question in a KBA model has only one right response, and this response shouldn’t be easy for third parties to guess.
However, with businesses and financial institutions now collecting and storing large amounts of data about their customers and individual users sharing every detail of their lives on social media, information once considered private is readily available to hackers. The public records used as the basis for dynamic KBA are like an open book to anyone who knows the types of information necessary to answer common security questions, and a growing number of data breaches has resulted in leaks of large amounts of private consumer data.
Cracks in the KBA Armor
The ease of use for both businesses and users is a major downfall of KBA. The increasingly complex challenges involved in protecting data require complex security solutions based on something more than a set of generic questions. Although the security queries posed in KBA appear to be personalized, there are only so many questions a system can use, and hackers are able to guess the answers to the most common ones as much as 20 percent of the time.
When guessing fails, it often only takes a Google search to crack the KBA code. Information from hacked databases or data aggregators is available for hackers to purchase, making it easier to undermine dynamic KBA strategies. Phishing and spear phishing attacks allow third parties to gain access to individual accounts, infiltrate systems and obtain detailed user information, rendering security questions useless.
Another glaring problem is the inability of users to remember the answers to their own questions. Around 20 percent of answers are forgotten within six months of account creation, or users fail to recall the exact way the answers were entered at the time an account was set up.
Many organizations are switching to multi-factor authentication (MFA) protocols requiring two or more identifiers from users before granting access. Businesses of all sizes with numerous mobile employees are beginning to adopt complex rules for authenticating specific devices and are implementing single sign-on to streamline access without compromising data security.
Automation is changing the nature of user onboarding and provisioning, and it’s becoming more common to see granular rules designed to ensure no single user is able to access more information or perform more actions than necessary to complete specific tasks. In the near future, organizations may also adopt:
• Controls on financial account activities
• Phone-based identification with SMS verification
• Blockchain authentication methods
• Alternative identity proofing, such as requiring a photo of a physical ID
By strengthening the approach to security through these and other KBA alternatives, it should be possible to keep proprietary and sensitive data safer and reduce the number of breaches organizations experience.
When KBA is Still Viable for Authentication
In some authentication protocols, KBA may still be used safely. Companies and institutions with robust user data protected by strong security can draw from their own information to create dynamic KBA queries. Hackers may still be able to gain access to this data, but it requires more work than looking up public records or obtaining aggregated information.
KBA may also be included as part of a larger, more robust approach to authentication. In systems designed to operate on a contextual basis, KBA is useful to fall back on when users can’t meet the requirements for other forms of authentication. Using KBA along with behavior monitoring incorporates patterns of users’ actions into the authentication process, allowing for termination of sessions or denial of access should unusual behaviors be detected.
If KBA remains part of your identity and access management strategy, it may be time to consider adopting a better method. Examine your current security protocols, and assess the types of data handled by, stored in and transferred from your system. Sensitive data requires tougher security and smarter authentication methods. Make plans to add layers to your authentication protocol or phase out KBA in favor of stronger tactics.