Anil John
Making Digital Services Secure and Trustworthy

Anil John

Identity Assurance and Knowledge Based Authentication

 Share  Print  Email

NIST Electronic Authentication Guideline (SP 800-63) does not permit Knowledge Based Authentication (KBA) as a viable “something you know” authentication factor (Instant KBA). But it also notes that “knowledge based authentication techniques are included as part of registration” which is sometimes confusing. The term KBA is overloaded, often misused, and needs to be clarified based on the usage context.

‘Instant KBA’ is a non-starter since it uses private but not secret information, and is not implemented as part of a discrete enrollment or registration process which could add compensating controls.

Verification is typically what people mean when they speak of using (dynamic) KBA for registration and/or identity proofing. You use out of wallet questions, often based on transaction details, to link a set of attributes to a particular person. You can also use out of band feedback mechanisms to mitigate threats to the linking process.

The presumption is that the set of attributes you are linking the person to is accurate and timely.

But is that always true?

Validation is about checking to see if the set of attributes exist, is accurate, and is timely by referencing the authoritative source of those attributes. It can also be set up to use multiple sources of information to mitigate registration threats and attacks.

If the check is not with authoritative source(s), the entity that is doing the checking is using acquired metadata about the authoritative data. So given sufficient motivation and means, other entities could get access to the same metadata.

So, let me discuss the realationship between an Identity Manager (IM) and an Authoritative Source and how that impacts validation and verification. The Identity Manager could be a vital records agency, a data broker, a credit bureau, a commercial provider etc.

<div class=“table-responsive”>

Identity Manager = Authoritative SourceIdentity Manager ≠ Authoritative Source
Resolution
  • Able to ensure Uniqueness of a person within IM context
  • Able to ensure Uniqueness of a person within IM context
Validation
  • Able to Validate data it is authoritative for
  • Able to Validate data if IM can use an authoritative source; concerns regarding timeliness of data given that IM is downstream from authoritative source OR;
  • Unable to Validate data if IM cannot use an authoritative source; IM is consuming and corroborating the transaction exhaust of data residing in the authoritative source to infer actual record information
Verification
  • Able to do Verification to link the person to a data record using what can be referred to as “knowledge based authentication techniques” such as out-of-wallet questions
  • Able to do Verification to link the person to a data record using what can be referred to as “knowledge based authentication techniques” such as out-of-wallet questions
Identity Assurance Direct Assertion Indirect Assertion

</div>

If an RP is engaging the services of an Identity Manager that is NOT an Authoritative Source, I would recommend asking some detailed questions regarding the sources and methods the Identity Manager uses to ensure uniqueness as well as validate and verify the information the RP requires.

RELATED INFO



This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post.
Meet me over on Mastodon to join the conversation!

I am a public interest technologist. I help organizations and leaders make digital services secure and trustworthy.
Learn more »