Something only the user knows.

Most of us have encountered Knowledge Based Authentication (KBA), though we might not have realized it had a name. Think back to a time when you phoned your mortgage or credit card company to discuss your account. They asked you fairly obvious questions, like the account number and the name on the account. However, they probably also asked you questions that may have seemed odd. Perhaps they asked the name of the high school you attended, your address two homes before your current one, or your mother’s maiden name. That was KBA trying to ensure that you really are the authorized account holder. These days, most people encounter KBA most often when they lose or forget the password to one of their accounts.

Prior to the evolution of the Internet into a public convenience, these challenges provided a reasonable level of certainty: the answers were expensive to acquire, if it was possible at all. For example, most states place land ownership information (titles and deeds) in the public record. Prior to the “[tooltip text=”By the “utility” Internet, we refer to the Internet of today. It includes so much capability and functionality that it resembles a necessary public utility more than a discretionary tool.”]Utility[/tooltip]^” Internet, though, accessing those records required travel to the appropriate county court house and poring over dozens or hundreds of bound volumes or microfilm. Finding the name of your first pet often required a personal relationship with you or your family. Determining your mother’s maiden name, likewise, required a personal relationship with you or your family.

No more. The utility Internet and the wealth of searchable information it holds have largely eliminated the KBA utility of those challenges, and many more. In fact, it seems like a race between the search engines to “commit homicide” on KBA, and individuals to “commit KBA suicide”. The factoids that Google, Bing, etc. can’t readily pick up on their own, people seem determined to share with the world on Facebook, LinkedIn, et al.

Ancestry

Any challenge related to one’s ancestry falls prey to the web genealogy databases, both free and paid. If you’ve never seen one, take a wander through the public portions of Ancestry.com or Brigham Young University’s Family History Collection. Your mother’s maiden name is one of the first pieces of information you see on the pages related to your immediate family. In addition to employing public records, many of these sites also “crowd source” the information. Similar to Wikipedia, they allow any interested party to add linkages and other information. Some member of your extended family might be enhancing the entries in one of them right now.

Personal History

Have you ever encountered a challenge that used questions from your high school? Which high school did you attend? What city was it in? What was the mascot? What were the school colors? Well, classmates.com and its brethren can answer those questions for your adversary. Even questions like Who was your favorite teacher could yield to polls on classmates.com; polls you didn’t even answer.

Consider the information commonly included in social media profiles on sites like Facebook or LinkedIn. Compare that with the questions you’ve been asked to authenticate yourself over the years. City of birth. Birth date. Current city. Name of your first pet. A current pet’s name. And on and on and on. Facebook holds many of the answers, just waiting for an adversary to harvest prior to attacking, say, your bank account, or the server systems and network of your employer.

Public Data Sources

Some challenges sound more reliable than others, but really aren’t. Not any more, at least. Some systems use challenges along the lines of what was your street address two addresses ago. If you live in apartments, that one might still provide some value. If you have owned your own homes, though, most jurisdictions make titles and deeds public records. A quick real estate search may be all your adversary requires.

And public records reach farther than many people imagine. In most states, birth and death records are public. So are marriage and divorce records. So are many legal proceedings. Sometimes arrest and booking records are public. Trial and conviction records almost always are.

Obviously, these sources can provide a lot of information that can undermine typical KBA challenges. “In the old days”, accessing a lot of that information required physically going to the county courthouse in the proper jurisdiction. The “utility” Internet makes most of that information available at the tap of a keyboard.

Inversion

Taking a moment to think more deeply about this, Facebook recently added Graph Search to their arsenal. This facility can let an adversary turn this sort of reconnaissance on its head. Suppose an adversary knows that the KBA for a specific bank includes town in which you were born. Facilities like Graph Search can allow them to get answers to questions like who are all of the Facebook members who live in Boston but were born in Denver. A few searches like this, maybe throwing in and ‘like’ MY LOCAL BANK, and the attacker can nail down a suite of target individuals having a higher potential for quick success.

See FBstalker Automates Facebook Graph Search Data Mining for even scarier possibilities.

Storage and Breaches

In case your day hasn’t soured enough yet, think about the number of answers to these questions you’ve given to different organizations over the years. They stored the answers in databases, or they’d be useless as challenges. How many of those vendors have suffered data breaches? Even if you don’t “put it on Facebook”, some data thief may have plundered your answers from the database of some organization with which you have a relationship, say your mortgage or credit card company. Or you might have mentioned it in off-hand remarks on a web forum or mailing list. Let’s avoid thinking about having our entire credit report, tax file, or medical history disclosed to adversaries.

Moving KBA Forward: Contextual Challenges

The next step in the evolution of KBA challenges trades some convenience for increased security by narrowing the context. For example, a bank might request the account balance from your most recent statement as a challenge. Adversaries would normally find information like this more difficult to locate, since it is tightly bound to specific transactions occurring within the relationship. A bit more secure, a bit more difficult, and a bit less convenient, a vendor might challenge you to provide the amount of the most recent transaction on the account.

These sorts of challenges provide considerably more security in some cases: those cases in which both you and your vendor strongly protect your transactional history. They also prove considerably less convenient, since many users must “look up” to answer. Users of “paperless” accounts might find those factoids even easier for the adversary to acquire.

Beyond KBA: Something only the user is

Some tout biometrics as a solution to the authentication problem. When most people think of biometric identification, they think of fingerprints, iris scans, or retinal scans. However, biometrics cover much more ground than that. The advent of wearable technology expands that landscape considerably. For example, many smart phones contain accelerometers, and some also feature gyroscopes or magnetometers (compasses). These sensor technologies can enable biometrics based on movements, like individual gaits or gestures. More subtle sensors might allow characterization by sinus rhythm, blood pressure, and other dynamic processes of an individual’s own body. Facial and voice recognition also have a role to play here.

On the surface, biometrics seem to solve the same authentication issues that KBA addresses. Biometrics do have certain advantages. Most people don’t have to remember to take along their eyes and fingers, after all. However, common biometrics suffer two significant problems: they cannot be repudiated and some can inadvertently change over time. Getting a new scar on your fingertip can prevent legitimate access to your accounts, or require lengthy reregistration. If your adversaries find a way to impersonate your retinal pattern, you can’t simply change yours.

Industry must overcome these two problems before biometrics can function as a useful authentication mechanism. That still leaves at least one hurdle, though. Biometric identification mechanisms can interact with jurisprudence (Apple’s Fingerprint ID May Mean You Can’t ‘Take the Fifth’), sometimes in surprising ways.

Beyond KBA: Something only the user has

Another potential answer to these difficulties lies in “token” technology, like the common RSA-style “key fob”. These products can provide a very high level of both protection and authentication, as long as the token holder exercises tight physical control over the device. However, they are not foolproof. In 2011, attackers compromised RSA Security’s systems³ and made off with information allowing them to impersonate some RSA security tokens. As with challenge answers stored in vendor databases, even tokens provide security that is reliant on a third-party’s system security.

Numerous other technologies can act as “tokens” for the purposes of authentication. Such items as smart cards, magnetic stripe cards, and RFID tags can function identically to the tokens discussed above. Newer technologies with more processing power include smart phones and wearable computing. These offer completely new approaches to “something you have” authentication by allowing out-of-band communication and processing as part of the authentication process. For example, a vendor’s authentication process might require that you declare a mobile device number to the host. When special authentication becomes necessary, say you lost your password, the host sends a message to the declared device, and the operator wishing access must supply some artifact of that message through a different interface, say, the Internet.

Conclusions

As is so often the case, convenience and security tug at each other in “push-me-pull-you” fashion. Many common KBA challenges work well enough to fend off casual attackers; the ones who don’t perform reconnaissance prior to attack. However, they now provide little in the way of trustworthy authentication once an adversary makes the effort to perform reconnaissance. Even with these weaknesses becoming more widely known^{4 and 5}, though, news reports show no particular movement away from KBA outside very specialized niches of government and industry. In contrast, authentication largely stays “below the radar” of CISOs⁶.

Defending: Choosing Challenges

Beware using or answering KBA challenges that can be easily found with an Internet search or in a public records. The answers to those challenges aren’t secure, so they provide little authentication benefit. Before deciding on KBA challenges, you should search for yourself and your friends on the major internet search engines. Review your accounts, and theirs, including those on social media. Check your family ties in genealogical databases. Anything showing up in any of those searches is not a good candidate for a KBA challenge.

Defending: Diversity

As with passwords, don’t use the same challenge for multiple sites. Challenges generally do not provide the strength of a password, so users encounter the same difficulties when reusing challenges as when reusing passwords. This can prove difficult, though, due to the situations in which vendors select the challenges. In these cases, the user may not have a good approach to more secure challenges.

Defending: Align Risk and Reward

Align the difficulty of KBA challenges with the value of the credentials they protect. Individuals and organizations providing higher value targets, who will be surveilled prior to attack, must rethink their KBA challenges for high value functions. For example, the possessors of trusted access credentials within a bank or other financial institution must give up some convenience in order to better protect their credentials from subversion.

Defending: Asymmetry of Risk

An issue of particular importance here concerns “asymmetry of risk”. As an example, consider an individual bank account. If the credentials controlling that account fall victim to KBA subversion, the risk to the bank is very low. The repercussions have small value compared to the bank’s overall business. As long as such security bypasses occur infrequently, they have no material effect on the business. However, if your bank account is compromised, the repercussions to you can be quite severe. This can lead to vendors creating KBA challenges that are appropriately correlated with their view of the risk, but definitely misaligned with the customers’ view of the risk.

Note 2: By the “utility” Internet, we refer to the Internet of today. It includes so much capability and functionality that it resembles a necessary public utility more than a discretionary tool.

Note 3: RSA FraudAction Research Labs. Anatomy of an Attack, RSA Speaking of Security weblog. URL https://blogs.rsa.com/anatomy-of-an-attack/

Note 4: LexisNexis Hack Signals the Death of Knowledge-Based-Authentication – NuData Security, 27 September 2013. URL http://www.prweb.com/releases/2013/9/prweb11169573.htm

Note 5: Hack of data brokers highlights weakness of knowledge-based authentication, 27 September 2013. URL http://blogs.csoonline.com/access-control/2791/hack-data-brokers-highlights-weakness-knowledge-based-authentication

Note 6: According to the IBM 2013 CISO Assessment A new standard for security leaders (page five), only 12% of CISOs regard “alternative authentication mechanisms” as a high-importance issue for their organization and its security efforts. https://www.ibm.com/security/ciso