This project is about creating a Knowledge Based Authentication Standard. The project is hosted here: OWASP KBA-PMP Project
An awesome team has been conformed, and Foss lawyers are very happy to cooperate in the legal part.
KNOWLEDGE BASED AUTHENTICATION (KBA)
1. INTRODUCTION TO KBA
Authentication is one of the most challenging areas of IT security. There are 3 main kinds of authentication:
(1)Something the user knows (passwords)
(2) Something the user has (security tokens, cards)
(3) Something the user is (Biometric devices)
By the process of authentication, the application (a non human) grants access to a human, only if he can prove that he owns the account by meeting the required credentials. This is a technical procedure.
Authentication does not necessarily verify identity. In most Web sites anyone can open an account without the requirement of proving their legal identity.
In all websites, anyone could steal other user credentials, and get authenticated by the application (a non human).
1.1. What is KBA?
“Knowledge Based Authentication (common refered to as KBA), is a method of authentication which seeks to prove the identity of someone accesing a service, such as a Website…” Wikipedia.
KBA is an identity oriented methodology as it goes further than authentication, as it is used to prove the legal indetity of any user in the physical world. Passwords are only authentication oriented methods.
KBA is based on secret questions that the user is supposed to know. It is used by banks, heatlh services, taxes agencies, social networks, webmail providers, and so on.
1.2. Kinds of KBA
KBA is classified into Static and Dynamic.
Static KBA.- In static KBA, the user answers some default questions such as: What is you mom’s name? , or Where did you spent your honeymoon? The answer to these “secret questions” is used by the application in order to prove the user’s identity. Static KBA has been very popular in previous years, and is still used by many applications as another layer of a multifactor authentication policies. Sometimes is used as the only method to prove identity.
Drawbacks of static KBA.- In today’s world, most of those default identity questions could be easily found by using search engines, social networks, public records, or social enginering techniques.
Dynamic KBA.- In Dynamic KBA, the application already knows relevant information, and personal data about the user. This information might also come from public records, social networks, credit records, health records, and so on. More advanced features include questions about elements taken from photographs or videos, such as the color of your clothes in your scan ID (some vendors call these features as Enhanced dynamic KBA).
Dynamic KBA’s popularity is increasing, and many challenges and drawbacks are also appearing. The mechanisms of Dynamic KBA are as follows:
– There is a software solution which collects information about the user.
– The software will decide if there are enough elements to prove the user’s
identity (a score).
1.3. Challenges of dynamic KBA
– It is only based in certain jurisdictions. Some KBA vendors can only obtain data from a specific jurisdiction. For example, a product which collects data only from US sources, would not be suitable for a business based in Europe.
– Most Humans don’t have a good memory. Most people would not remember some questions about their past. Programs could deny access to real users.
– The user cannot choose. If the user don’t choose their own questions, there is a risk that the program asks questions that supposed to be difficult to guess, but in fact there are well known. For example, if the KBA software asks the user about his job in 1988, it could easy to guess it just by reading his biography in Linked in.
– Data protection issues.- Some jurisdictions have strong data protection laws, and forbid data transfers of personal data in some cases such as: Transfers without the user’s consent, or Data Transfers to countries offering low levels of security.
– Sources of information and privacy.- KBA providers should determine the border line between public and private information from a legal orientation.