Best practices in knowledge-based authentication

Knowledge-based authentication (KBA) is a methodology gaining increasing recognition for providing the identity proofing part of user authentication.

A group of senior IT pros got together during a Wisegate Roundtable session and had unguarded, honest conversations about knowledge-based authentication. They agree that KBA is a technology:

• that has not yet reached its time,
• that is worth watching,
• but its value to individual companies will depend on a risk analysis decision.
• There are no detailed best practices yet available.

The roundtable started with one member presenting his own view of the need for and difficulties in reliable user authentication. It should be noted that this member’s need for reliable authentication is extreme. He provides valuable services to a very large, diffuse and widespread number of remote users.

The problem, he suggested, is that most existing user authentication processes rely on tokens that actually authenticate the token but not the individual. It remains necessary to prove the identity of the individual before the token is bestowed or accepted.

This process of identity proofing can be divided into three separate parts:

• resolution (ensuring the candidate is a unique individual)
• validation (ensuring the data used for resolution is accurate and valid)
• verification (ensuring the validated data belongs to the unique individual).

These three aspects can be combined in the one process best-known as KBA. (In reality, “knowledge-based authentication’ is a process patented by Equifax; and the presenter suggested “out-of-wallet questions’ as a term more suitable for the way most people use the term.) He pointed out that KBA does not rely on the seemingly absolute proof of identity that a driver’s license or passport or SSN would provide; but that statistically a very high degree of identity proofing can be acquired through a combination of “out-of-wallet’ questions such as date of birth, address and so on.

The current danger, however, is that in many cases providers are verifying the user identity without validating the data that is used for that purpose.

“Without ready access to validation proof, providers are ‘triangulating’ verification based on KBA-style questions. But that’s the problem – what is the best method for validation using KBA? We’re not ever going to be 100% accurate so the question is does it make sense to put in compensatory controls around the process; to use the services of multiple vendors and check data against each other?”

In the event, he received little response to this query. Not one participant in the roundtable owned to actually using KBA; although several confirmed their own interest in learning more. The presenter did, however, get several questions. Would, for example, social media proofing be adequate? He responded,

“I actually agree with the use of social media proofing as a compensating control because there is a target population out there – for example people under-18 – who do not have a history or record that can be used for verification. So I would say do not solely depend upon it, but use it as a compensatory control to mitigate your risk of identity error.”

Another question asked if the introduction of government prescribed national ID cards would solve the whole identity problem.

“The government has absolutely no desire or appetite to have a national identity card within the United States; so that is not a path to success in the US at all. Having said that, I would draw the analogy that both the UK and Australia have put into place what they call an identity validation service which both commercial services and government agencies can use to validate an individual’s identity. When someone comes and presents a driving license or a passport or some other pieces of information, you can take the information from that documentary evidence and gain from the service a matched or not matched response. That could help in many cases. I don’t think a national ID card would be a solution in the US, but a government validation service might well be.”

A participant further noted that ID cards would not solve the basic problem: they still authenticate the token rather than the user.

Other comments from the floor included the suggestion that most companies go through adequate user authentication when new employees are first employed and then on-boarded. Another pointed out that KBA might simply not be relevant to smaller companies with a relatively small number of employees.

However, the roundtable finished with another participant noting the value of continuous KBA-style identity proofing to prevent criminals hijacking financial transactions. It is, he suggested, a concept we shall need to revisit.