Knowledge Based Authentication a Thing of Past
If you are wondering what is knowledge based authentication or KBA, let me ask you a question, ‘what is your pet’s first name?’. Such questions are asked to verify someone’s identity. This information about a person can be found online. After experiencing the vulnerability of such questions, the world is moving towards stricter yet efficient measures for granting access.
The Basics of Knowledge Based Authentication
A standard KBA system has four elements;
- The question should be suitable for a large population
- The user should easily be able to remember the answer
- There should be one correct answer
- Others should not be able to guess it
Going through this list alone reveals that many of these ‘barriers’ can be easily overcome. The premise is that if someone (or anyone) answers these questions correctly, their identity is verified.
But this could be anyone answering correctly.
What Went Wrong with KBA
Since social media has spread like wildfire, finding personal information about a person has become easier. Let’s look at four ways why KBA is a weak security measure;
Easy to Find information on Social Media
It is becoming very easy to find information about a person on social media. The more they engage online the more ‘crumbs’ they leave for identity thieves. Go to LinkedIn to find where a person works, visit Facebook to find out the movies they like, search a twitter handle to see their political affiliations, and the list goes on.
Information is for Sale
There are only a finite number of KBA questions circulating the web. Figuring things out about someone is not that hard. After hacking a website, the hackers put this stolen information up for sale. Pay the right price and buy someone’s personal information.
Agonizingly Slow User Log in Process
Every online portal performs a balancing act between usability and security. Put in place KBA questions and it slows down the entire online experience. The more rigid the authentication process the more chances that the customers will leave an unfinished form. This means fewer sales for an e-commerce website.
KBA – The All Access Pass
The old form KBA used to give access after answering the security questions. The problem was that once access was granted it was like giving a kid the keys to the candy store. The identity thief had access to everything. There should be different checks and different levels of security to those checks. Changing your profile picture does not carry the same risk as transferring $1000 into someone’s account.
What about KBA 2.0?
Upgrading the old system won’t solve the problem. Authentication here is based on knowledge, which is becoming easy to acquire. Just look at your email spam folder. Probably you’ve never even heard of those companies but they still found out about you and your interests.
Modern forms of Verification
- Facial Recognition
The authentication trend has gravitated towards facial recognition. It is very difficult to appear as someone else in front of the camera. Even attempts of holding up a picture in front of the camera to fool the system are being thwarted by modern technology.
Facial recognition is becoming increasingly popular, specifically with banks. Not only that the banks are using it to give access to accounts but there have been pilot projects for onboarding with it. They are constantly on the hunt for the best online verification services.
- Securing Identity with a Chain
The year 2017 saw the rise of cryptocurrencies. Bitcoin reached an unprecedented high. This wave also highlighted the technology that runs the cryptocurrencies, the blockchain. Better to address a misconception before proceeding.
Blockchain technology is not confined to cryptocurrency, it is a cryptic form of networking. Once this open ledger is in place it can be used for communication, monetary transactions, smart contracts, and many other things.
The key feature of blockchain is that it protects your digital identity. It is ingrained with a digital watermark that is unique to you. Every transaction that you carry out is performed with it, it can’t be stolen.
Knowledge based authentication is slow, unsafe, and quite vulnerable to attacks. Deep learning and artificial intelligence based services are readily replacing KBA. These are much faster and safer. With API, they easily integrate with websites and smartphone applications. Going forward solutions such as facial verification and liveness tests will become common.