Knowledge-based authentication: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 19:20, 18 September 2009 edit Erik9bot (talk \| contribs) 439,480 edits add template:uncategorized ← Previous edit		Latest revision as of 18:31, 20 March 2025 edit undo Arlo Barnes (talk \| contribs) Extended confirmed users 7,622 edits →See also: 'what you know' is usually one of the factors in MFA Tag: 2017 wikitext editor
(32 intermediate revisions by 24 users not shown)
Line 1: {{Short description\|Method of user authentication that requires knowledge of private information}} '''Knowledge-based authentication''', commonly referred to as KBA, is a security method used to protect personal information. It verifies the identity of a person before granting access to certain information or Web sites. Like the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. KBA is used in two very different forms. '''Knowledge-based authentication''', commonly referred to as '''KBA''', is a method of [[authentication]] which seeks to prove the identity of someone accessing a service such as a financial institution or website. As the name suggests, KBA requires the knowledge of [[Personal data\|private information]] from the individual to prove that the person providing the identity information is the owner of the identity. There are two types of KBA: ''static KBA'', which is based on a pre-agreed set of shared secrets, and ''dynamic KBA'', which is based on questions generated from a wider base of personal information.<ref>K. Skračić, P. Pale and B. Jeren, "[https://ieeexplore.ieee.org/abstract/document/6596424/citations#citations Knowledge based authentication requirements]," ''2013 36th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO)'', Opatija, Croatia, 2013, pp. 1116-1120.</ref> == Static KBA (~~Shared~~shared ~~Secrets~~secrets) == Static KBA, also referred to as "shared secrets" or "shared secret questions," is commonly used by banks, [[financial services]] companies and e-mail providers to prove the identity of the customer before allowing account access or, as a fall-back, if the user forgets their password. At the point of initial contact with a customer, a business using static KBA must collect the information to be shared between the provider and ~~customer, most~~customer—most commonly the ~~question(s)~~questions and corresponding ~~answer(s)~~answers. This data must then ~~must~~ be stored, only to be retrieved when the customer comes back to access the account. ~~Static~~The ~~KBA~~weakness ~~came~~of ~~under~~static ~~fire~~KBA was demonstrated in ~~the~~[[Sarah ~~fall~~Palin ofemail hack\|an incident in 2008]] ~~when~~where aunauthorized ~~person~~access ~~hijacked~~was gained to the ~~Yahoo!~~e-mail account of former Alaska Governor [[Sarah Palin]]. The [[Yahoo!]] account's ~~was~~password ~~secured~~could ~~with~~be ~~the~~reset using shared secret ~~question,~~questions ~~“where~~including "where did you meet your spouse?~~” Using the correct answer,~~" along with the date of birth and ~~zip~~ZIP code of the former governor ~~the~~to ~~information~~which ~~was~~answers ~~compromised.~~were easily available online. Some identity verification providers have recently introduced secret sounds and/or secret pictures in an effort to help secure sites and information. These tactics require the same methods of data storage and retrieval as secret questions.▼ ▲Some identity verification providers have recently introduced secret sounds ~~and/~~or ~~secret~~ pictures in an effort to help secure sites and information. These tactics require the same methods of data storage and retrieval as secret questions. == Dynamic KBA == Dynamic KBA is a high level of authentication that uses knowledge questions to verify each individual identity but does not require the person to have provided the questions and answers beforehand. Questions are compiled from public and private data such as marketing data, [[credit reports]] or transaction history. Dynamic KBA is a high level of verification that also uses knowledge questions to verify each individual identity, however this method requires no previous contact. This is because the questions are generated on the fly and based on information in a consumer’s personal aggregated data file (public records), complied marketing data or credit report. To initiate the process, basic identification factors, such as name, address and date of birth must be provided by the consumer. Then questions are generated in real-time from the data records corresponding to the individual identity provided. Typically the knowledge needed to answer the questions generated is not held in a wallet (some companies call them out-of-wallet questions), making it difficult for anyone other than the actual identity to know the answer and obtain access to secured information. ▼ Dynamic KBA is employed in several different industries to verify the identities of customers as a means of fraud prevention and compliance adherence. Because this type of KBA is not based on an existing relationship with a consumer, it gives businesses a way to have higher identity assurance on customer identity during account origination. ▼ ▲Dynamic KBA is a high level of verification that also uses knowledge questions to verify each individual identity, however this method requires no previous contact. This is because the questions are generated on the fly and based on information in a consumer’s personal aggregated data file (public records), complied marketing data or credit report. To initiate the process, basic identification factors, such as name, address and date of birth must be provided by the consumer and checked with an [[identity verification service]]. ~~Then~~After the identity is verified, questions are generated in real- time from the data records corresponding to the individual identity provided. Typically, the knowledge needed to answer the questions ~~generated~~ is not ~~held~~available in a person's wallet (some companies call them "out-of-wallet questions"), making it difficult for anyone other than the actual identity owner to know the answer and obtain access to secured information. Generally, the length of time and number of attempts provided to respond are limited to prevent the answers being researched. ▲Dynamic KBA is employed in several different industries to verify the identities of customers as a means of fraud prevention and compliance adherence. Because this type of KBA is not based on an existing relationship with a consumer, it gives businesses a way to have higher identity assurance on customer identity during account origination. == See also == * [[Cognitive password]] * [[~~identity~~Identity verification service]] * [[Multi-factor authentication]] * [[Out of wallet]] == References == {{reflist}} ~~# Varghese, Thomas. “Addressing Red Flags Compliance”. SC Magazine, Jan. 28, 2009. http://www.scmagazineus.com/addressing-red-flags-compliance/article/126529/. Retrieved 9/15/09.~~ # Diodatt, Mark. “Static KBA: Lipstick on the Weak-Authentication Pig.” Burton Group; Identity and Privacy, Sept 19, 2009. http://bgidps.typepad.com/bgidps/2008/09/static-kba-lips.html. Retrieved 9/15/09. ~~# Gartner Market Overview, Sept. 26, 2008. http://www.gartner.com/DisplayDocument?id=765532. Retrieved 9/15/09.~~ [[Category:Computer network security]] ~~{{Uncategorized\|date=September 2009}}~~