Kyle Kilcoyne By Kyle Kilcoyne • May 22, 2017

Death of KBA Marks New Era for Authentication

The number of tracked data breaches in 2016 was 1,093, a 40 percent increase from 2015, the Identity Theft Resource Center found. That's right - we have headline-making breach after headline-making breach hitting the United States all the time, and all the attention on security has done nothing to stem the onslaught. What's more, this high frequency of data breaches - roughly three per day - only accounts for reported breaches, not the ones that go unnoticed or are slipped under the rug. And plenty of breaches don't make it into the public eye.

A forty percent rise in data breaches in 2016 has consumers demanding new authentication.

There are too many motivations and attack vectors behind data breaches to detail all of them. However, one theme comes across loud and clear in the data breach world: Knowledge-based authentication (KBA) is falling woefully behind the times, and organizations need to move on to more modern methodologies.

The problem with KBA

KBA initially gained momentum because it offered a simple, user-friendly way to backup a password. After all, it's easy enough to ask somebody about a small personal detail that isn't common knowledge. With passwords being clunky and hard to remember, the security question represented a complementary form of KBA that could authenticate a person's identity.

The problem? Those small personal details are no longer remotely private. What may have once only been known by friends and acquaintances is now easily available on social media to anyone and everyone. Social engineering is changing privacy to such a degree that personal details aren't safe. At the same time, passwords are too problematic from a user experience perspective to be a functional form of KBA.

KBA coming to an end 

The federal government is understandably one of the sectors most concerned with data breaches, and it has already begun making strides to combat the dangerous growth of these incidents. A big part of this progress? Disavowing KBA.

An advisory document from the National Institute of Standards and Technology advised government agencies that any authentication methods that are classified as depending on something the user knows become immediately problematic because it is difficult to ensure that the knowledge remains secrets.

NIST went so far as to point out that asking users to answer questions that could be confirmed through publicly available data is not acceptable for government agencies. Simply put, the advisory document stated that "Something you are does not generally constitute a secret."

The government isn't the only sector transitioning away from KBA. The financial services sector must also begin making a move from KBA, as the outdated authentication method is at the root of many application fraud challenges facing organizations. An Aite Group study pointed out that application fraud has become even easier today than in years past because people share so much personal information on social media that KBA has been rendered utterly useless when it comes to user authentication and fraud prevention.

KBA isn't the only problem in the authentication world, but the issue is heightened by the weakness of traditional user identification methods that are often used alongside security questions. Here are a few examples:

First of all, passwords are just another form of KBA. Not only are they something the user knows, but in order to remember passwords, individuals often choose familiar information. This means that anybody with access to a social media account and a willingness to guess at passwords for a while has a shot at breaking passwords. Furthermore, mandating that users adopt more complex passwords simply ruins the experience of using an app and may push individuals to seek alternative options because clunky password entry gets frustrating fast.

This is just the tip of the iceberg for password problems. But if you take nothing else away from this note on passwords, consider this - using a password alongside a security question isn't actually multi-factor authentication because both methods are using something the user knows, creating a single line of vulnerability. True multi-factor authentication should combine at least two of the three common authentication methods of something a user knows, something a user is and something a user possesses.

Social Security Numbers

And this last point brings us to the next great identity fallacy today - that basic personal details, such as a Social Security Number, are adequate as identifiers. The SSN was never meant to be used for identification (as our new infographic makes clear), and similar basic identification documents can often be copied with ease. Complex identifications, such as passports and driver's licenses, are increasingly necessary for user authentication


Solving the user identification problem

So KBA alone is completely broken, and combining it with basic, but common, identifiers such as passwords and SSNs won't work in today's user authentication climate. What is the solution? Well, biometrics are a strong start. Research published in the International Journal of Automation and Computing stated that biometrics are inherently superior to KBA because they work from something a user is - a person with a unique fingerprint, face shape or iris - instead of depending on what the individual remembers.

However, biometrics are only one layer of defense, and multi-factor authentication is still critical. Modern identity management systems are taking authentication to another level by analyzing actual identifications, such as driver's licenses. These IDs feature a combination of biometric identifiers and unique fraud prevention methods on the cards that can be identified via software and used to accurately identify a user accessing services online.

At Confirm, we take authentication to another level by empowering organizations to integrate the most robust forms of identification into their apps and services without having an adverse impact on the user experience. KBA is still around because of a lack of user-friendly alternatives, but that isn't a problem anymore as identity management has evolved to meet emerging user authentication demand.