data center

Security Sense: How Do You Do Knowledge Based Authentication When All Knowledge is Public?

How do you authenticate people based on data attributes they know when that very information is continually popping up in data breaches? It's a hard problem with no easy answers.

Have a think about the ways you identify yourself to institutions, both commercial and government. Think about the process you go through in order to establish that you are indeed yourself and it’s not someone else pretending to be you. In particular, consider the sorts of questions you’re asked in order to establish enough confidence on behalf of that institution that they should now proceed with granting you whatever it was you contacted them for in the first place. Very often, you’re asked to partake in what’s referred to as Knowledge Based Authentication or KBA and that’s something we’ve now got a real problem with.

Consider the sorts of questions you’re usually asked, a classic one being your date of birth. This has always been a ludicrous KBA question because it’s a personal attribute we willingly share with others, simply because most of us like cake and presents. Yet we have cases like Betfair using only that and an email address to reset your password. No, you don’t have to actually receive an email, you just simply say “here’s an email and a birthdate and here’s the password I’d like that account to have”. Now that’s an extreme example and I believe they’ve since seen the futility of that approach and made some changes, but date of birth is still frequently a part of the KBA process.

I have 69 data breaches in Have I Been Pwned? that contain dates of birth and those 69 breaches encompass a total of over 477 million records. Some of those records will be the same person breached on multiple services but however you cut it, that’s still hundreds of millions of people that have had a very common KBA question leaked publicly. Other typical identity verification attributes include things like mother’s maiden name, schools attended or home address and yes, there’s a truckload of all those been leaked too.

The other problem with KBA questions is that they’re typically immutable – they don’t change. This isn’t like, say, having your password exposed so you just go and choose a new one; static data attributes such as your date of birth or questions about your history simply don’t evolve as required. And don’t for a moment think they’re only exposed via data breaches either because we’re constantly sharing them over other channels too, particularly on social media.

I got to thinking about this situation in more detail recently after the South African “Master Deeds” breach where someone published the entire country’s KBA data to the web. How do you handle it when pretty much every single living person (and a bunch of deceased ones too) has had these immutable personal attributes obtained by an unknown number of potentially nefarious third parties? At best, the confidence level in any individual providing this data has to drop way down. At worst, you need to find a whole new way for an entire country to prove who they are. And don’t for a moment think this is just a South Africa thing either, this is the reality we’re increasingly facing across the globe and right now, we simply don’t have enough good alternatives.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish