Knowledge-based authentication: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 05:10, 20 February 2021 edit Hiiisparks (talk \| contribs) 397 edits Fixed citation Tag: Visual edit ← Previous edit		Latest revision as of 18:31, 20 March 2025 edit undo Arlo Barnes (talk \| contribs) Extended confirmed users 7,622 edits →See also: 'what you know' is usually one of the factors in MFA Tag: 2017 wikitext editor
(6 intermediate revisions by 6 users not shown)
Line 1: {{Short description\|Method of user authentication that requires knowledge of private information}} '''Knowledge-based authentication''', commonly referred to as '''KBA''', is a method of [[authentication]] which seeks to prove the identity of someone accessing a service such as a financial institution or website. As the name suggests, KBA requires the knowledge of [[Personal data\|private information]] from the individual to prove that the person providing the identity information is the owner of the identity. There are two types of KBA: ''static KBA'', which is based on a pre-agreed set of shared secrets, and ''dynamic KBA'', which is based on questions generated from a wider base of personal information.<ref>K. Skračić, P. Pale and B. Jeren, "[https://ieeexplore.ieee.org/abstract/document/6596424/citations#citations Knowledge based authentication requirements]," ''2013 36th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO)'', Opatija, Croatia, 2013, pp. 1116-1120.</ref> == Static KBA (shared secrets) == Static KBA, also referred to as "shared secrets" or "shared secret questions"," is commonly used by banks, [[financial services]] companies and e-mail providers to prove the identity of the customer before allowing account access or, as a fall-back, if the user forgets their password. At the point of initial contact with a customer, a business using static KBA must collect the information to be shared between the provider and customer—most commonly the questions and corresponding answers. This data must then be stored only to be retrieved when the customer comes back to access the account. The weakness of static KBA was demonstrated in [[Sarah Palin email hack\|an incident in 2008]] where unauthorized access was gained to the e-mail account of former Alaska Governor [[Sarah Palin]]. The [[Yahoo!]] account's password could be reset using shared secret questions including "where did you meet your spouse?" along with the date of birth and ZIP code of the former governor to which answers were easily available online. Line 16 ⟶ 17: == See also == * [[Cognitive password]] * [[Identity verification service]] * [[Multi-factor authentication]] * [[Out of wallet]] == References == {{reflist}} ~~# Varghese, Thomas. "Addressing Red Flags Compliance". SC Magazine, Jan. 28, 2009. http://www.scmagazineus.com/addressing-red-flags-compliance/article/126529/. Retrieved 2009-09-15.~~ [[Category:Computer network security]]