Wednesday, February 10, 2010

Secrets and Authentication
by Anna Slomovic, Anakam CPO

Five to ten years ago, little known facts about our lives were widely used for authentication before we were permitted access to sensitive information. For example, if someone called a credit card company to check a balance or question a charge, she would provide identifying information for herself and her account, and then would be asked a question for security purposes. Quite often the question was, “What was your mother’s maiden name?” This was a “shared secret” model of authentication. The caller had provided a little-known fact about herself to the credit card company, and the credit card company used that fact to make sure that the caller was who she claimed to be.

Over time, as more organizations use the same facts in various contexts, “shared secrets” become much less secret. As a result, security questions started covering more and different facts. “Who is your favorite historical figure?” “Where was your father born?” “What was the make of your first car?” Those security questions are still used by many organizations for authentication for sensitive transactions such as password resets on e-mail accounts.

Now, with the proliferation of social networks, genealogy sites, blogs, and other ways for people to disclose more personal information about themselves in more different contexts, there are many fewer secrets than there used to be. As I wrote in Authenticating Password Re-sets, secret questions are no longer good enough as sole means to secure sensitive information.  Something more is required.

Some organizations use dynamic Knowledge Based Authentication (dynamic KBA) for authentication. In dynamic KBA, an individual submits biographic data, which is matched against a public or private data set to retrieve information known about that individual. The retrieved information is not what the individual provided to the company, i.e., not a “shared secret,” but instead some combination of data about her history (e.g., past addresses) and past transactions (e.g., a recent charge to a credit card) that are collected from other sources. This is used to generate a set of questions that would be very difficult to answer except by the person to whom the data pertain. The questions could relate to any part of someone’s life, so a potential identity thief cannot know in advance which data is necessary to successfully answer them. An example of dynamic KBA used for authentication is the process of retrieving one’s credit report online.

Although it covers a much greater set of data, dynamic KBA has some of the same characteristics as the “secret questions.”  The more the underlying data is disclosed and circulated online, the greater the opportunity for someone else to obtain this data and to use it to claim another person’s identity. In other words, biographical and even financial data becomes less and less secret as it is used and disclosed over time. The less such data is used, the longer it will remain secret. Using such data in rare instances, such as initial registration and identity proofing required for credential issuance, would make the data useful for longer than using it as a means of authentication prior to every session or every transaction.

Another approach to transaction authentication is a one-time passcode that is issued to a particular individual and has a limited lifetime. Such a passcode is randomly or pseudo-randomly generated, so it contains no information about an individual and has no connection to such information. As a result, such passcodes can be used for authentication as often as needed without in any way increasing the chances that the next authentication transaction might be weakened because of the data disclosed in an earlier one.

Of course, nothing is infallible, particularly in information security. However, for the foreseeable future, combining dynamic KBA for identity proofing when a credential is issued with a one-time passcode that authenticates the holder of the credential in transactions that follow is a strategy that minimizes the disclosure of “secret” information and increases its usefulness for verifying identity in sensitive environments.

Readers' Comments



Anna Slomovic: Myisha, you make an excellent point that data behind KBA will also become known as it is used for issuance of more credentials. A couple of things to note, though. First, dynamic KBA is generated on the basis of facts that are created as the person goes about living his or her life. As a result, new data continues to be generated over a person's lifetime. It is important that KBA questions be related to many facts rather than asking about the same fact from multiple perspectives, but new facts are created all the time during a person's lifetime so there are more facts to ask about during KBA. Another point to consider is that we really do not know how good in-person identity proofing is or how it compares to KBA. Most people are not trained to recognize a valid out-of-state driver's license, for example, and no checks except visual inspection are usually performed. In the end, it's all about identity-related risk and ways in which organizations manage such risk.
Posted 2010-02-23 06:28:55



Myisha: I agree that the frequent of use of the KBA is what depreciates its validity and therefore using it for credential issuance as opposed to each instance of authentication would help to protect the sanctity of the secret questions. At the same time with the number of sites that most people visit when conducting business on line wouldn’t it lead to the proliferation of the use of KBA for identity proofing prior to credential issuance thereby also contributing to the degradation of the validity of the KBA. So as with passwords, the more they are used the more individuals will either make their passwords the same, or write them down. How do you ensure that the more that the KBA is used, that the same questions are not selected or that the answers to the secret questions are not proliferated among the many sites to which we need to gain access, thereby diluting their security. As with everything in life, moderation is key. Therefore, in instances where in-person proofing has been performed (e.g. identity vetting associated with the issuance of a bank account, institution of higher education, certification board, etc.) should those credntials be relied upon as a primary identity vetting mechanism and authoritative attribute source when appropriate and use of dynamic KBA be used as an additional level of security or alternate mechanism when the above is not available?
Posted 2010-02-22 11:42:50