Knowledge-based authentication (KBA) refers to a user-authentication process that seeks to verify the identity of an individual accessing a protected resource, such as a web site, using secret information to establish trust between the individual and a server. KBA requires the knowledge of personal information of the individual to grant access to the protected resource.
Existing KBA processes generally rely on the following underlying axiom: Demonstrating knowledge of some personal information, typically shared among the user and the server, is equivalent to proving the user's identity to the server. KBA is often used for sensitive status updates (e.g., password resets, personal record updates or banking information updates), where the user is required to provide the answer to one or more personal questions. The answers are generally considered to be easy to remember by the user but unknown by others.
Static KBA is based on a set of previously shared secrets, and challenges the user to provide the server with some secret (to the general public) user-specific information that has been previously shared between the user and the server during a set-up phase. Dynamic KBA is based on questions generated from a wider base of personal information. Dynamic KBA is generally considered an “on-the-fly” generation of personal information by the server based on, for example, the user's record, account and/or profile. For dynamic KBA, the user does not know in advance the question (challenge) that will be asked by the server.
While KBA offers a valuable authentication mechanism, KBA suffers from a number of limitations related to the prediction or discovering power of an attacker, which if overcome, could further improve the security and utility of KBA. For example, to allow the users to easily recall and correctly provide the answers to the questions that they are challenged with, KBA typically uses secrets that come from sets that do not have high entropy. Thus, KBA secrets are often easy to remember, and are often also easy to guess. For instance, the search space for guessing a randomly selected password comprised of eight case-sensitive characters, numbers or symbols is of a size of at least 648 (=248) whereas the search space for guessing the birth city of an individual corresponds to the number of cities in the world, i.e., 248,752(<218) (according to the 2007 Getty Thesaurus of Geographic names). KBA is thus often only used as an auxiliary means of authentication (e.g., in combination with high-entropy passwords).
KBA is vulnerable to brute-force or dictionary attacks, i.e., an exhaustive search through the small search space of the answers of a given question. In this case, the attacker has no information about the secret, other than that it comes from a fixed, well-defined universe (of relatively small size). In practice, dictionary attacks can search in even smaller search spaces if some background information is given about the victim user.
In addition, with the advent of the Internet, the plethora of Web data and the growth of social networking, the dividing line between what constitutes personal secret information and what may be personal but “guessable or discoverable” information is no longer clear. For instance, a person's mother's maiden name may be easy to obtain through social engineering methods. Furthermore, an attacker may attempt sophisticated data-mining attacks against a victim user's personal data from large volumes of general data that becomes legitimately available to the public or to selected communities. For example, a data mining effort over public records for a significant percentage of a targeted population of Texas residents also revealed mothers' maiden names.
Therefore, such attacks raise a big challenge for KBA authentication. A need therefore exists for techniques for preventing fraud related to KBA. Yet another need exists for improved KBA authentication techniques that permit the detection and remediation of fraud.