CONTINUE TO SITE »
or wait 15 seconds

Blog

Why multifactor authentication trumps knowledge-based authentication

February 16, 2014 by Robert Siciliano — speaker, IDTheftSecurity.com

First, what is knowledge-based authentication? KBA is an authentication method that asks the user to respond to at least one question whose correct answer only that user would know.

There are two types of KBA: 1) a question the user has pre-selected (i.e., static scheme); and 2) a question that's determined by data garnered from public records (i.e., dynamic scheme).

The idea is that if a question is answered correctly, the person's ID has been verified.

KBA flaws

Fraudsters can answer "secret" questions — even those the user might think it would be virtually impossible to answer.

How? Spear-phishing — gaining access to aggregated public data by tricking the aggregators' employees, getting into their accounts, and stealing the "keys" to the data.

Additionally, with of all our personal information floating out there in social sites, it is becoming much easier to research anyone enough to pass these questions.

Knowledge-based authentication is definitely flawed, and it is especially unreliable when it applies to people new to the U.S. or who are young, as they don't have much public data built up.

However, KBA is also the heavily preferred method for ID because it's so technically easy. This is why Obamacare will be using it for the new healthcare insurance exchanges.

Solutions

Authentication should be multifactor. A multidimensional security system might include:

  • consideration of customer history and behavior;
  • dual customer authorization via varying access devices;
  • transactions verified via out-of-band;
  • debit blocks, positive pay and other methods that appropriately curtail an account's transactional use;
  • More refined controls over account activities, such as number of daily transactions, payment recipients, transaction value thresholds and allowable payment windows;
  • blockage of connection attempts to banking servers from suspicious IP addresses;
  • policies for addressing potentially compromised customer devices;
  • improved control over any changes made by customers to their accounts; and
  • better customer education that aims to increase awareness of security risks, and to teach customers how to mitigate risk.

A layered security program should include, at a minimum, the following:

  • detection of suspicious activity followed by a response — suspicious activity might be related to logins and verification of customers who want access to the bank's electronic system, and also to initiation of electronic transactions to transfer funds to third parties.
  • elimination of simple device ID as the primary control; and
  • elimination of basic "secret" questions as a primary control.

    An alternative to KBA

    There is a software-only biometric that authenticates a user's identity in a way that no imposter can mimic.

    This software, created by Biometric Signature ID, employs the strongest form of ID confirmation available today, and it doesn't require additional hardware.

    How does it work?

    With a program such as BioSig-ID, the software measures how a person moves his or her mouse, finger or stylus while logging in using a password created within the program.

    This SaaS-based software is now used in over 60 countries and was recently awarded a grant by the White House to use the solution to validate user identity before they can access a digital asset.

    Elements measured include stroke height, length, speed, direction, and angle. These define the user's unique pattern, which a fraudster cannot replicate. This type of positive ID can be made when the user logs in from any device.

    In order to access the device, or the information on it (i.e., bank account, medical information, online college exam, etc.), the user must be authenticated against their original profile.

    In seconds, and with only three or four characters, the software can establish whether the person who registered for the account is the same person now attempting  to access it.

    Robert Siciliano is a personal security and identity theft expert and a BioSig-ID advisory board member. He is the author of "99 Things You Wish You Knew Before Your Mobile Was Hacked!"

    Read more about security.

    About Robert Siciliano

    None

    Connect with Robert:

    Related Media

    Security
    Examining biggest ATM security issues and 4 strategies to prevent them
    Security
    Banking privacy: 5 benefits for banks, customers
    Security
    Protecting an ATM's hardware, software by slowing down criminals
    On-Demand Webinar
    A Masterclass in ATM Security: Global Best Practices and Trends
    Presented by Diebold Nixdorf
    Recent Posts
    Eurasian Bank selects Diebold Nixdorf's self-service software
    First National Bank to open 30 branches
    Romanian man arrested for alleged cash trapping ATM scheme
    Replacing the ATM: Pros and cons of new vs. remanufactured
    U.S. Bank resumes crypto custody services


    ©2025 Networld Media Group, LLC. All rights reserved.
    b'S2-NEW'