Why Knowledge Based Authentication is not enough

(Stop asking me stupid questions!)

Background

In 2005, US banks got directions from the federal government to improve the security of their online banking login procedures.   One of the main problems that the new regulations aimed to solve is that of phishing, especially across international borders.  Banks have been losing money to internet scams, but are much more sensitive to losing customers. Contrast the desire for customer retention with the necessity to limit the cost of any available solution and banks are left in a very tough spot.

In recent years banks have largely settled on Knowledge Based Authentication (KBA) as a solution to better user authentication for online banking because it is cheap, easy to plumb into existing web applications and is not a high hurdle for end users to adopt.  However, there is trouble in paradise and KBA authentication is not enough.

Why Knowledge Based Authentication is not enough.

Fuzzy Answers

One of the most frustrating aspects to Knowledge Based Authentication is that answers must be precisely answered.  Fuzzy answers to questions are not accepted and will generate calls into customer service which impacts customer experience and total cost of ownership.  Take for example a commonly posed question: “What was your first car?” One of my first cars was a white 1987 Honda Civic.   If I choose to answer the question with “87 Civic” then “Honda civic” or “Civic” or “’87 Civic” are all incorrect. This is problematic for many users.

Culturally insignificant questions

Questions frequently lack cultural significance or can be ambiguous.  I was recently asked what my favorite pro sports team was and had to think for a while which pro sports team that I even watched in the recent past.  I toyed with the idea of answering “none” or “I hate pro sports” but the idea of remembering a fake answer to yet another question gave me the impression that customer service was in the cards for me.     

Similar to culturally insignificant questions are ambiguous questions.  An example of these is “What is your favorite type of food?”  I personally have many favorite types of food which vary greatly from day to day.  Some days I love BBQ and other days I crave a good curry.   I have no hope of remembering the answer to this type of question on a long term basis.

Question Reuse

Because many users have difficulty picking unambiguous questions to use for KBA there are frequently one or two common questions that get used for each website a user visits if they are available.  Users who frequently use the same few questions run the risk of getting phished once and compromised everywhere.

KBA questions are personal or nonsensical with best practices dictating a mix of each category.  Personal questions require users to disclose confidential information which may be gleaned from public records or social networks and blogs.  Additionally, factual questions may be gleaned from public records.   When a limited number of acceptable questions exist for any given user that user is more easily compromised when information is publicly available to answer those questions.

Man-in-the-middle attacks

Simple Man-in-the-middle attacks are well documented against KBA techniques, even when they are augmented by secure cookies as is the case when KBA takes the form of sitekey.  Man-in-the-middle attacks seek to get between a user and a legitimate website.  Any information that a web site displays gets displayed through the attacker to the end user such as KBA questions.  Moreover, any information that a user enters such as KBA answers gets passed through the attacker to the legitimate web site.  At this point the attacker has knowledge of the answers to a user’s KBA questions.

Denial-of-Service attacks

One potentially disruptive aspect of KBA is the ease with which criminals can impact a large website is through a Distributed Denial Of Service attack (DDOS).   Widescale DDOS is possible by deliberately mis-answering questions for a wide variety of users.  A criminal bent on causing havoc at a bank can quickly impact a bank’s call center, costing the bank a lot of money in a short period of time while simultaneously impacting the most important asset of a bank: customer confidence in the bank.

Scalability across multiple websites

KBA is becoming a victim of its own success.  With mass adoption of KBA, users forget which questions and confirming images are used on each website.  This condition is aggravated when questions are user supplied.

Conclusion

KBA authentication alone is not sufficient to replace username/password as a login mechanism for sensitive online transactions.  In fact the use of KBA techniques may reduce the overall security of many online systems by making users feel safer when the opposite is true.   
Often web sites with sensitive information use KBA in combination with other less invasive methods such as heuristic fraud detection software and placing “secure” cookies on end user machines.  It is obvious that KBA is not a cure, but simply a patch in a leaking dam of financial fraud.
Any new system for authenticating users to websites must be easy to use, simple to install, simple to operate and provide true bi-directional, multi-factor authentication with resistance to common phishing an more exotic  attacks such as Man-In-The-Middle, DNS Poisoning and Man-In-The-Browser attacks.