Problem solve Get help with specific problems with your technologies, process and projects.

Are knowledge-based authentication systems doing more harm than good?

In this Q&A, security expert Joel Dubin examines if the password security policies used in knowledge-based authentication systems are doing more harm than good.

How detailed should KBA (knowledge-based authentication) systems be without unreasonably digging into an individual's privacy? Is your pet's name or mother's maiden name enough? Should an enterprise enact authentication with information it already has, like a recent bill amount?
Knowledge-based authentication (KBA) is about finding a balance between privacy, security and ease-of-use. Also called "secret questions," KBA is often used as a backup or retrieval system for users that forget their password. It works like this: when a user forgets his or her password, he or she can engage a KBA system, which prompts the user for the answer to a secret question. If answered correctly, the system either retrieves or resets the password. The prompt can be automated through a link on a Web site, or over the phone through a customer service or help desk representative.

Users, however, often set up the answers to their secret questions at the same time as their user ID and password. So months later, when they have to answer a secret question, they've already forgotten the secret answer too, defeating the whole point of KBA.

There are also design and implementation issues with KBA. How many questions should be used? Should a series of prepared questions be offered to users at registration, or should users be allowed to make their own up? Usability studies have shown that KBA systems often confuse users, and they do better when offered a set of canned questions to choose from. Other studies have shown that requiring users to answer two questions isn't much more secure than having them answer one.

There can be other complications with KBA as well. One is cultural issues, particularly if your company operates internationally. Questions that are perfectly reasonable in one country may be either irrelevant or offensive in another. Security is another matter. The famous "mother's maiden name" question has already been compromised by identity thieves. One of the first destinations of a credit card thief is often a genealogical Web site in order to obtain this information on their victims, using that small bit of information to eventually steal a victim's complete identity.

When it comes to formulating the perfect KBA question, unfortunately there is no formula. Questions fall into two categories: factual, like "What was the name of your high school?" or "What city were you born in?" or, they can be about preferences, as in "What is your favorite color?" or "What is your favorite food?"

If privacy is a concern, the best mix of questions should probably come from both categories. For factual questions, a best practice could be to use information that the enterprise already has, as you suggest.

An interesting product you might want to take a look at is ExpectID IQ from IDology Inc. ExpectID is a service that creates questions from public records. The product generates neutral questions, like information about someone's prior address.

It's worth noting that security guru Bruce Schneier has said that secret questions actually lower security. Schneier claims that answers to secret questions are actually weaker than passwords, since they are basically easily guessed words. And, since they're used for bypassing passwords, they weaken rather than enhance the security of user ID and password systems.

For more information:

  • In ths Q&A, security expert Joel Dubin unveils the best methods for managing user permissions.
  • Learn how to add an extra layer of security to your passwords with some 'fudge'.
  • This was last published in April 2007

    Dig Deeper on Password management and policy