One of the biggest misconceptions we are constantly addressing is the confusion between shared secret questions and dynamic knowledge based authentication questions. And this week’s IEEE Symposium on Security and Privacy isn’t helping to clear up the confusion since Microsoft and Carnegie Mellon University are showing that the secret questions used to secure the password-reset functions of a variety of websites aren’t safe.
I’ve long preached the dangers of shared secret questions and how easily it is to guess the answers. The problem is as consumers we usually pick questions with answers that are easy to remember, which as it turns out we tend to forget anyway according to this article about the study:
The study found that secret questions fall short on both accounts. Even for the most memorable questions–Yahoo’s, as it turned out–the participants forgot 16 percent of the answers within three to six months. Overall, one out of every five people forgot all of the answers to their secret questions, the researchers found.
Just the other day I was discussing the psychology of shared questions with a colleague and how difficult it is to remember the precise way I may have answered a question. The real problem is that most of the answers to shared questions can be guessed – especially with the increase of Facebook and other social networks. In social networks, we are sharing more and more personal information about ourselves with our friends without really realizing that this information can easily be used against us by a fake “friend” to hijack any number of our accounts including bank accounts, emails and even our social network profiles!
But while I agree that shared questions aren’t really safe, dynamic KBA solutions do—and are – working to stop fraud and id theft. What’s the difference you ask? Well, dynamic KBA solutions present questions for you to answer to identify that you are who you say you are but the difference is you never picked the question and provided the answer. These questions are dynamically generated in real-time based on your personal history and are more detailed about things like places you’ve lived, people you know, or cars you’ve owned. The best thing is they are easy for you to remember but difficult for anyone else to guess.
Of course, the real issue and way to solve the problem is to eliminate passwords altogether which is what Information Cards is all about but given this is still in early-adoption, I’ll simply refer you to the Information Card Foundation to learn more.
And just in case you are still confused about dynamic KBA questions, I’ll refer you on to this whitepaper which addresses 10 of the most common misconceptions associated with identity proofing and KBA.