security_questions

4 Big Problems with Knowledge Based Authentication

Let’s look at the traditional method of Knowledge-based authentication to understand its shortfalls.

Background

Since the dawn of the web, online account authentication has barely changed. A user would input their username (email or screen name) and follow up with a password.

This is the foundation of knowledge-based authentication (KBA)

For companies that aim to appear more secure, it isn’t uncommon for them to use knowledge-based authentication questions in addition to your password. I bank with two different bank accounts; both ask me what street I grew up on in order to log-in online. One is much more secure than the other, more on that later. The problem with relying on knowledge-based authentication is that they are essentially just another password.

4 Big Problems with Knowledge-Based Authentication

1. Easy to Work Out via Social Networking

Whether you are for or against it, social networking exists and makes it a lot easier to work out somebody’s knowledge-based authentication questions. One of my online banking questions is “what city was your father born in.” You could work that out from one of several social networks.

2. You Can Buy the Information

When a website has it’s database hacked, criminals profit from selling the data on the black market. That’s how it works. Each time one website is hacked, the security of every website that uses knowledge-based authentication becomes weaker. Passwords are reused across websites, and there is only a finite number of KBA questions in circulation.

Those users become highly vulnerable on the other websites that they use, regardless of what actions the victim website takes.

Why should one company’s fraud risk be linked to an unrelated website’s sophistication? Security shouldn’t work this way. We already have alternatives.

3. They slow the user-login process

When designing a website or service, there is always the weigh up between security and usability. The safest web servers are ones that are turned off, and the most useable website require no authentication. For e-commerce firms, it is vital to have a smooth process to reduce abandonment and to complete more sales, for banking, overt security challenges may add to brand trust.

4. Relying on KBA enforces the idea of a ‘Walled Garden’

Usually described to explain a system like Facebook, a brick wall from the outside but a world inside. In a security context, once the user is allowed inside the system – they have free reign to do what they like. Buy goods, change shipping details, transfer money.

Companies need to stop thinking of requiring access to every action, instead, think about what the action is and what is the risk.  How does the risk of changing a profile picture compare to the risk of moving $30,000?

Summary

Knowledge-based authentication is no longer a suitable authentication method, and firms should be actively seeking to improve their security with a layered approach, in line with the recommendations of the leading security experts and analysts.

Find out more about replacing knowledge-based authentication and behavior-based and risk-based authentication methods or contact us to discuss how we can help protect your company from online threats.