It’s time to kill off Knowledge Based Authentication and the Security Question

By J Connolly

Knowledge based authentication (or KBA) is the prompting of secret knowledge from a user in order to prove identity. It is frequently used when a user has forgotten their password or needs to access their account over the phone.

Even if you’re not familiar with the phrase, chances are you’ve come across KBA before. Questions such as “What is your mother’s maiden name?” and “The name of your first pet?” are laughably familiar to us.

But while KBA aims to be at least one half of the ideal authentication system – something you know, the questions protecting our most important information assets are not secret, not secure, and more often than not, forgotten.

The arguments against KBA seem straightforward, yet enterprises are still using KBA for customers and employees. All four of the largest webmail providers – AOL, Google, Microsoft, and Yahoo! still use KBA to reset passwords, and fourteen of the largest 20 US financial institutions use it to identity customers.

So it’s worth laying out the argument for scrapping Knowledge Based Authentication and security questions completely.

How much do you know I don’t know?

The goal of the perfect security question is to be:

1.       Something only the user knows
2.       Something that is unique to them
3.       Something that cannot be researched or guessed
4.       Something they can remember

But finding a single piece of information about a user that meets this criteria is pretty difficult. There are only a finite number of answers that do and the growth of social media and the amount of information being willingly shared online means that in order to meet goal 3, the pool is growing smaller.

Take the example of a pet’s name. While your childhood pet’s moniker may be safe for now, with adult dog owners posting a picture of their pal on social media on average of six times per week, it’s hard to imagine it being a safe question for the next generation.

As a sign of things to come, Sarah Palin’s email was hacked in 2008 by exploiting the KBA questions of Yahoo mail. The information used to answer the allegedly secret questions was found on Wikipedia. As individuals’ lives become more and more public, the information about them online will start to resemble the most visible of public figures and this sort of attack will become more likely if KBA is not phased out.

Questions that can’t be researched are also likely to be either guessable or not that unique.  A survey of users by Microsoft revealed that acquaintances were able to guess the security questions of their peers 17% of the time. It also showed that 13% of answers could be guessed within five attempts using popular answers of other participants.

Lack of variety

The lack of suitable security questions available has not meant that KBA has been shelved. Instead it has resulted in a small roster of questions being widely used across several sites and services. The fact that we are all able to recognise several “classic” security questions shows how widespread this has become.

Unlike passwords though, Knowledge Based Authentication ensures that these answers never change. Once your mother’s maiden name, always your mother’s maiden name. This means that once a security question is revealed it can leave attackers an entry point to several services for several years.

This is not just a theoretical issue. The Yahoo breach which affected 3 billion accounts included security questions, which due to their ubiquity could be used to fraudulently access other services.

Memorably unmemorable

Questions that qualify for uniqueness, are un-researchable, and difficult to guess seem to fall at the final hurdle of memorability.

With difficult questions that genuinely tax your memory as some enterprises have trialled, this is immediately evident. The last four digits of my first bank card might be reasonably unique and hard to guess, but one that I’ll struggle to answer years after the fact.

But we fail to remember easy security questions too. In one research paper, Google analysed their real-world data set on security questions and found that even for simple questions, only 40% of their English-speaking US users were able to recall their security answers at a later date. Far below the reliability of SMS reset codes which had an 80% success rate.

Gartner research on call centre KBA has also shown that 10 to 30 percent of legitimate callers fail to remember the correct answers to their questions whilst fraudsters were able to easily access accounts.

The gateway to more information

More worryingly, KBA questions are often deployed as a backup when users are unable to otherwise prove their identity, such as when they’ve forgotten their password. This undermines other productive steps many organisations have taken, such as password strengthening. It doesn’t matter how strong other parts of your security system are when attackers only need to overcome the weakest link in your organisation’s identity management platform.

Why use it at all

Some will argue that KBA has its place as part of a Multi-Factor Authentication implementation. But when it is widely accepted that KBA does not accurately identify users, it does not make sense to sacrifice even one level of authentication to a flawed system.

The National Cyber Centre has begun to recommend that enterprises move away from Knowledge Based Authentication, and correctly characterises it as

“a small speed bump of security; probably enough to deter a casual opportunist but no real barrier to someone more determined.”

KBA will always have the appeal that it is quick and easy to implement. But if any organisation wants to take their security seriously, they should finally bump off KBA and leave the security questions alone.