By Jp Rowan | Posted on February 20, 2018
What was your first pet's name?
What street did you grow up on?
What is your mother's maiden name?
What city were you born in?
Intended as a convenient and last-ditch workaround for forgotten credentials, security questions that rely on factual data have the unintended consequence of creating an additional attack vector. In addition to providing an additional attack vector if data is compromised, the question forms themselves present a potential hack method.
Despite the red flags raised by security experts (Krebs on Security has been banging this drum for almost a decade) and the National Institute of Standards and Technology removing KBA as a recommended authentication step, online services continue to make it part of their validation processes. For example, USPS expanded its use of knowledge-based authentication in its "Informed Delivery" service - where scanned images of inbound mail are sent to postal customers - in late 2017. The IRS will again be requiring KBA for account creation this year.
The massive breach of Yahoo in 2016 compromised the data of more than 500 million of its users (and maybe a good deal more than that). This breach impacted not only the email and hashed passwords of its users, but also their security questions and answers. The fundamental limitations of this basic approach to knowledge-based authentication - that the same questions are frequently used from service to service and that the answers to those questions for a specific individual do not change are realities brought to the forefront with a breach of this magnitude.
Although most consumers recognize the need to use unique passwords for each online accounts, many provide the same, factual responses to security questions. With each email address in the United States connected to 130 online accounts, on average, the risks associated with using the same responses to KBA security questions across multiple accounts are tremendous. Even if Company A maintains best practices by encrypting, hashing and securing the responses to KBA questions, there is a chance that Company B does not. In the instance of a breach of Company B, the data of Company A is at risk - unless additional security checks are in place.
A better route is to extend multi-factor authentication for users. Verifying user email or phone ensures that the user has access to their primary communication method - which should then be the default resent path for forgotten passwords. By deploying progressive registration - starting with a basic email & password combination and then gathering additional information as customers make repeat visits to your site or app - companies open up the opportunity to request a secondary communication channel for additional authentication.
Our technical white paper, “Security and Usability: How New Authentication Methods Eliminate Old Trade-Offs,” explores the history of security and usability trade-offs and discusses the technologies that are helping companies finally close the gap between security and usability.
How to tell if your identity management is ready for the new data protection regulations…
We just released the latest member of the Janrain product family: Janrain Advanced Policy Manager…
Janrain Information Security Manager, Lisa Nicholson, shares her thoughts on why CSA Level 2 and…