Knowledge Based Authentication (KBA) is an authentication technique used to prove the identity of an individual based upon the common knowledge shared between an individual and a service provider. A common authentication method for risk-based identification, identity verification, and account recovery, KBA can be great from a usability point of view but if implemented incorrectly becomes a terrible choice for systems, which require a high level of identity proofing. “What’s your mother’s maiden name?”, “What’s your favorite color?”, “What’s the name of your first pet”? These are some of the security questions presented with for KBA when users cannot remember their password. Security questions are considered great from a customer usability point of view: in effect, they act as a backup password when a primary password cannot be recalled.
However, a high-profile incident from 2008 exposed the weakness in the KBA system where unauthorized access was gained to the e-mail account of former Alaska Governor Sarah Palin. The account’s password could be reset using shared secret questions, including “Where did you meet your spouse?” along with the date of birth and zip code. For such public figures, this information was easily available on the internet.
In this Knowledge Sharing article, Prasoon Dwivedi and Geoffrey Thomas explore the challenges in KBA and propose best practices to implement a user-centric and secure authentication system. By understanding the issues involved in a complex KBA system, one may be able to make the correct decisions while designing, implementing, and using such systems.