At first glance, knowledge-based authentication seems like a pretty good option. You’re protecting an account or service based on information about the user that they know which isn’t necessarily available to the general public. There’s a reason so many online services have their users set security questions when they first create their accounts.
Unfortunately, those security questions are rather fatally flawed. Knowledge-based authentication that relies on a user’s identity or events in a user’s life is perhaps the least secure. If recent scandals involving Facebook and data sharing are anything to go by, all that information about us that’s supposed to be for our eyes only isn’t exactly private.
It’s startlingly easy to learn about a person’s habits, behavior, and identity online. Even a simple Google search offers a treasure trove of information. What that means is that a hacker can, if they are persistent enough, easily suss out the answer’s to a user’s security questions.
And knowledge-based authentication based on details like someone’s favorite food doesn’t work either. Not only do users have a tendency to forget the answers to their security questions, a 2015 study by Google found that hackers are able to guess the answers to these questions almost 20% of the time. In other words, it’s not much better than identity-based authentication.
“The promises of knowledge-based authentication has given way to some harsher realities,” Writes Mike Baukes, co-founder and co-CEO of cyber-resilience platform UpGuard. “A thorough review of the processes should give enterprises and consumers alike great pause as to the resilience of knowledge-based authentication against exploitation by malicious actors…Enterprises must begin to err on the side of protecting customer data with more than a maiden name, or everyone will suffer.”
So…if knowledge-based authentication is a bust, what’s the alternative? How can we protect both customer and employee data? What needs to be done for us to move away from this outdated industry standard?
There are a few possibilities. Device-based authentication is a good option – allowing a customer who’s on a trusted, registered system such as a smartphone or desktop easier access to their data. Two-factor authentication is an option I would personally recommend – though I would advise against using SMS, as much has already been written about its insecurities.
Instead, use an app like the Google Authenticator or code your own. Not only will this be easier on your users, it’s a lot harder to spoof a security measure like this. Biometric and behavioral authentication are also options you could pursue, though they may be somewhat more difficult than two-factor.
Ultimately, whatever you choose to do, you need to set knowledge-based authentication aside. It’s had its time in the limelight. It needs to give way to something new.