With cyber security taking off in recent years, proper authentication is a must. Constant innovation and development has lead to some of the most intriguing and effective methods of securely accessing personal data and information to date. One of the most recent innovations to hit the web is Grid Authentication, a newer form of Knowledge Based Authentication, which requires a more interactive authentication process from the end user. The development of Grid authentication shows an increase in dedication and creativity with securing the information that matters most in an age where anyone could be a potential attacker. The Grid also shows us just what ‘knowledge’ can mean in knowledge based authentication.
Okay…but what is Knowledge Based Authentication?
Knowledge Based Authentication (KBA) is a method of authentication that relies on user-specific knowledge to prove the identity of an end user and grant access to secure information on the web. This method typically requires the end user to
answer a set of challenge questions in order to validate the user to his or her account. For knowledge based authentication there is a significant weight placed on requesting the ‘right’ knowledge from the end user, information that only he or she could possibly know, in order to validate their identity (More on this in a moment).
There are 3 different types of KBA that are commonly used
Static KBA-Shared Secrets
The modern classic. This solution provides a drop down menu with a series of preselected questions to choose from. The user then answers the chosen question correctly in order to gain access to his or her account.
This solution will ask the end user questions based on information that can be found in Active Directory. This removes end user choice from the equation, and is more secure if AD has a wide variety of identity-centric information. Questions are generated in real-time during the login request.
KBA solution that allows you to write your own questions and answers, or otherwise rely on end user specific knowledge to validate login requests to the server.
Both static and custom knowledge based authentication methods relies heavily on two key factors: on the admin requesting the right information from the end user, and on the end user providing accurate and secure responses. Most security questions fail the test of time and security due to lack of forethought and the ability to have the answers researched through social network or other related means (For more information on creating strong security questions, check out our article “Security Questions are not Secure”).
Because of the potential damage of choosing or creating weak security questions, some users opt for dynamic knowledge based authentication. Dynamic KBA creates questions upon request, based on AD information, while also implementing a time limit. These measures make the questions more difficult to guess – but no security is truly perfect, and Knowledge based authentication has come quite a long way.
The Grid – True Knowledge Based Authentication?
The Grid combines Knowledge Based Authentication with two factor authentication by creating a One Time Password (OTP) for the user to use when authenticating. Grid authentication works by requiring the end user to configure certain cells to be used as the Grid Password. The end user will be asked to enter his username and password, as well as selecting the cells that have been configured as his or her specific Grid Password.
The values of the cells on the Grid change with every login, generating a new and unique code based purely on the knowledge of the end user – their chosen pattern. No longer does the user have to remember answers to security questions, answers that may change or be forgotten in time, or worry about being researched by an attacker beforehand. The knowledge is privately locked away in the users mind and much simpler to recall than a complex password.
Any type of Knowledge Based Authentication that uses a password that cannot be found on the web, or discovered by using a Dictionary Hack will be much more effective for securing the end user during authentication.
It is also important to implement secure password policies that work for your organization. Doing so will keep base passwords strong to begin with, while providing an additional level of security overall. If you are able to enforce password failure counts and lock users out after a certain number of failed login attempts, you will be able to provide a much more secure environment for your protected personal information.
How can I utilize KBA as a strong form of password security?
Knowledge Based Authentication in the form of challenge questions can be useful for increasing login security; but this requires it to be utilized correctly. As the administrator or the end user, there are many different options for creating an adequate and properly implemented KBA solution. Knowledge is a relative term and should be very focused and specific to the user in question. Multiple security questions, strong authentication policies and flexibility are all aspects that go into creating a strong, secure and convenient login experience.
I personally believe that the strongest form of KBA-is one which allows you to write your own challenge questions. One example of a strong, custom security question that is not easily researched or guessed would be a multi-segmented question such as:
- Question: Date you took home your first dog – breed of dog – shelter where dog was adopted?
- Answer: (12/25/2012 – Labrador Mix – Manchester Animal Shelter)
Whether you’d like to come up with a stealthy Grid Pattern of your own, or stump hackers with your custom knowledge based authentication challenge questions, it all boils down to what your account information means to you. If your information and data security is important to you, knowledge based authentication has options to help increase your security without decreasing usability.