The Internet is widely used for commerce, social networking and other functions. However, some of the features that make the Internet useful for those functions also create vulnerability to misuse such as fraudulent purchases, unauthorized asset transfers and other antisocial and illegal acts based on identity theft.
Authentication is used to reduce vulnerability to misuse. One type of authentication is knowledge-based authentication (KBA). According to KBA, a person's identity is validated based on their ability to provide information about themselves. This information can be of the form of pre-shared secrets, e.g., answers to selected questions that the user has previously provided such as mother's maiden name, first pet's name, grade-school attended, etc. Another form of KBA is based on the person's ability to provide information about themselves that is gathered from various sources, e.g. motor vehicle records, real estate records and other public data. Another type of authentication is biometric authentication. Biometric authentication is based on a person's intrinsic physiological or behavioral traits, such as fingerprints, hand geometry, retinal pattern, etc.
One example of KBA in internet commerce is the use of a credit card to provide some level of assurance to vendors that the virtual identity of a customer matches the real identity of that customer. However, the assurance is limited to the ability to write a matching signature or remember a PIN code, which is weak because credit cards and PINs can be lost or stolen. Further, since credit card companies limit the liability to vendors and customers resulting from fraud, it is sufficient for the purposes of online purchases but not much else. Another example of KBA on the Internet is the login. Typically, a username and password are selected by or assigned to the user. However, malfeasants have been known to establish bogus accounts. Further, even genuine accounts are vulnerable because usernames and passwords can be stolen or cracked with programs designed for that purpose. It is also known to perform KBA by having a user contact an agent at a call center. The call center agent has access to a database of personal information about the user which is used as the basis for questions which are posed to the user. This technique is less vulnerable than others, but still has some drawbacks. For example, the personal information is typically obtained from public records which could also be obtained by a determined malfeasant. Further, the agent may reach a false conclusion because the information in public records is sometimes inaccurate. The technique is also relatively slow and labor intensive.