Problem solve Get help with specific problems with your technologies, process and projects.

Alternatives to password-reset questions tackle social networking cons

With so much personal information available on the Internet, finding the answers to someone's password-reset questions can be quite easy. In this tip, learn about alternatives to the password-reset question option that can lead to more secure Internet-facing applications.

It seems that social networks are rife with the sort of personal information that many people choose as answers...

to the password-reset questions used to reset a lost or forgotten password. Today, these knowledge-based authentication (KBA) questions are a lot less secure than they once were, due to the open nature of social networking sites and the public's lack of understanding of what personal information is. Whether a person's full resume is posted on LinkedIn or friends on Facebook are constantly reminiscing about intimate high school antics, personal information is slowly leaking onto the public Internet and contributing to social networking cons.

Knowledge-based authentication questions are a lot less secure than they once were, due to ... social networking sites and the public's lack of understanding of what personal information is.

How can an identity management professional regain strong association to ensure restoration of a person's authentication credentials while minimizing the risk of an attacker using publicly available information to reset a user's password and gain access to corporate systems and data? To answer this question, you need to rethink what technologies you use to validate an Internet-based end user.

Static and dynamic KBA
KBA technologies come in two forms, static and dynamic. Static KBA uses shared secrets, those questions you're asked upon account creation and to which only you should know the answers. As stated above, it's becoming harder to develop questions using answers that aren't part of the public domain. Thus, identity management personnel are looking elsewhere, and their first stop is dynamic KBA.

Dynamic KBA doesn't rely on fixed questions. When a user requests a password reset, it generates password-reset questions on the fly based on information in the user's personal aggregated data files (public records), compiled marketing data or credit reports. Examples of dynamic KBA questions are: What street address did you previously live at: a) 1080 Maple St., b) 9840 Willow Rd., c) 3460 High Rock Blvd.? Or: What is your height listed on your current driver's license: a) 5'4", b)5'7", c) 5'9"? Products like EMC Corp.'s RSA Security VerID, and IDology Inc., both use public records to deliver their KBA services. Because these offerings can be sold as Software as a Service (SaaS) models, they can be integrated into any existing Web service without the heavy lifting of integrating a public record collector and analysis tool into a company's current infrastructure.

While dynamic KBA is undoubtedly more secure than static KBA, it does have some problems. First is the perception that a company may gain access to information not needed for them to serve the customer, even though the KBA vendors claim no information is actually collected as part of the challenge activity, only the results of the tests. Despite this, consumers are slowly realizing that their financial and U.S. and state government-based information (i.e., court documents, drivers license information, publicly available financial information, physical address information, etc.) isn't as private as they thought. They're beginning to question, for example, why an online merchant is asking questions about their driver's licenses or mortgage information, when they may only want to purchase a low-dollar item like a book.

A second dynamic KBA problem is the availability of public records. Access to public records is made available for one purpose: to ensure the government is not discriminating against a person based on race, gender or religion. Public records are not meant to be available for commercial use. Many states in the U.S. are considering closing their public records, though requests for records for government oversight purposes would still be accepted. The Canadian government has already closed its records, and some governments in Europe have declared it illegal to use their public records for commercial use. So, while dynamic KBA works well and is fairly easy to interchange with static KBA, as the public becomes more concerned about privacy, legislation may limit this technology's lifetime.

Behavioral biometric characteristics: The human factor
So if static KBA is becoming insecure, and dynamic KBA has limited use, what's filling the gap? The answer is Behavioral Biometric Characteristics (BBC). BBC uses biometric characteristics that are acquired over time, and are at least partly based on behavior, not personal information. BBC bases its authentication verification on recognition of previously experienced stimuli and/or biometric data as the information is entered. BBC technologies include graphic object selections, keystroke dynamics (a user's typing behavior) and biometric signatures.

For graphic object selection, rather than selecting a set of challenge questions, the end user is presented with a graphic containing a number of smaller objects in it. For example, a messy kitchen, a backyard full of kid's toys, a child's bedroom, a page of images, etc. The user then mouses over the image and selects three to four graphic objects in a specific order; in the case of the bedroom graphic, the user may select the poster on the wall, the alarm clock next to the bed and a dirty sock on the floor, out of 50 or more choices. These selections are then stored with the user's account information and when the user needs to be challenged, he or she is asked to duplicate the selections. Since only the user knows what he or she selected, and in what order, it's extremely difficult for someone else to duplicate the choices.

A study was conducted in 2009 by the University of California at Berkeley which validated the use of  behavioral biometric characteristics (.pdf) as more secure than traditional password authentication (BioSig-ID) is one vendor that has a commercial product available using graphic object selection for validation. Of course the problem with this technology is that the user may forget what he or she selected and/or the order. Websites using this technology should have instructions on how to select objects and remind the user to select objects that he or she would easily remember.

Keystroke dynamics uses a different approach. People type at an average 30 to 40 words per minute, but when researchers looked at their strokes, they found that each person's keystroke dynamic -- the timing between strokes for certain letter combinations -- was as unique as a fingerprint. This means a person can be strongly identified by combining a keystroke dynamics tool with a simple static KBA product.

This technology is becoming a popular method of authentication, as proven by no fewer than ten companies entering the market, including AdmitOne Security Inc., iMagic Software, ID control B.V., Deepnet Security, Psylock GmbH and others. But, as with any emerging technology, this one has an issue as well; a legal issue. Covert use of keylogging software is on the rise, and the use of such software may be in direct and explicit violation of laws, such as the U.S. Patriot Act. If consent is not clearly obtained from the people at the keyboard, even though the actual residual content of the message -- the resultant text -- is never analyzed, read or retained, the status of the "dynamic context" of the text is probably in legal limbo. Advice from legal counsel with experience in this area should be obtained before attempting to use or even experiment with such software.

The final technology to consider for end-user validation is biometric signatures. One flaw of the graphic object selection technology is, like the static KBA products, that it uses a static graphic with static objects. This makes the technology vulnerable to a lucky guess. In order to eliminate this risk, biometric signatures present a graphic object, or group of objects, and require the user to draw his or her own graphics using a mouse or touchpad.

As part of the authentication process, the user is presented with a drawing area demarcated by grid lines and asked to draw whatever shapes they want in any number of grids. These images are then analyzed and stored. When the user needs to be re-authenticated, he or she is presented with the grid and asked to draw the images again. Despite the rough drawing capabilities of computer mice and touchpads, images are accurate enough for verification purposes. Unlike dynamic KBA, the information is not from public records, therefore mitigating privacy issues. The downside, of course, is there is only one vendor, BioSig-ID, who has commercialized this technology, though a company could potentially build its own.

Before an organization decides to move away from a static KBA technology to one of the more advanced technologies covered in this tip, it must consider the following set of questions in order to determine whether the change -- both in technology and in end-user or customer processes -- is worthwhile:

  • Is password authentication, using any verification technology, sufficient protection for the information being accessed?
  • How much risk does the current technology pose?
  • Can other static KBA questions be asked that may be less likely to be exposed?
  • Who are the end users? How will they use these technologies, and how knowledgeable are they?
  • Do we have the legal expertise to decide how to lawfully implement any new technologies?
  • Do we have the technical skills to execute a new technology, or do we need to consider SaaS, or some other approach?
  • How do we formally modify our existing applications to support another technology?
  • Where do we want to be with authentication in one year? Two years? Five years?

This tip only explored the way users can be more strongly validated, but there are other alternatives like system ID reputations, a "no fly list" for known malware and botnet issuing systems; device reputation, based on the components of a device matching the known components of the end-user's system, or even simple graphic techniques to verify that at least the user is a person and not a bot. But in the years to come it's likely that a combination of several new technologies or products will ultimately be needed to positively identify a legitimate user who needs to change his or her password.

About the author:
Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance company who has worked in the security industry for more than 20 years. He specializes in security/identity management strategies, methodologies and architectures.


This was last published in July 2010

Dig Deeper on Web authentication and access control