Knowledge Based Authentication (KBA) and its use by Public Sector online services have to date been a marriage of convenience. The recent breaches of private sector data brokers introduces concerns and questions about the continuing effectiveness of this source of data for use by the public sector for identity proofing and compensating controls.
Brian Krebs, in an excellent investigative report, gives details regarding the recent data breach of data brokers. It is fascinating reading and highly recommended for folks who work in identity assurance.
When it comes to KBA, it is worthwhile to look at how it is addressed in the two sets of authentication guidance issued and used by the U.S. Federal Government. The NIST Electronic Authentication Guideline (PDF) and the Federal Financial Institutions Examination Council (FFIEC) authentication guidance (PDF).
Per NIST Electronic Authentication Guideline (SP 800-63-2):
Knowledge based authentication achieves authentication by testing the personal knowledge of the individual against information obtained from public databases. As this information is considered private but not actually secret, confidence in the identity of an individual can be hard to achieve. In addition, the complexity and interdependencies of knowledge based authentication systems are difficult to quantify. However, knowledge based authentication techniques are included as part of registration in this document.NIST SP 800-63-2: Electronic Authentication Guideline
NIST is, at best, ambivalent about the use of public databases for remote identity proofing and does not permit the use of information from them as authenticators. The thing to keep in mind is that an 800-63-2 style credentialing process encourages a "Big Up Front" identity proofing, token issuance and credentialing process. The validity of that credential varies and could range anywhere from 1 year to much longer.
Combining the possibility of fraudulent access to data needed to get past that initial remote identity proofing for LOA 2 and LOA 3, with the lack of any "ongoing/continuous re-proofing" is a serious concern, especially for high value public sector transactions such as benefits delivery.
Per FFIEC authentication guidance:
Challenge questions [...] are commonly referred to as “out of wallet” questions, that do not rely on information that is often publicly available. They are much more difficult for an impostor to answer correctly. Sophisticated challenge question systems usually require that the customer correctly answer more than one question and often include a “red herring” question that is designed to trick the fraudster, but which the legitimate customer will recognize as nonsensical. [...] Although no challenge question method can mitigate all threats, the Agencies believe the use of sophisticated questions as described above can be an effective component of a layered security program.FFIEC - Supplement to Authentication in an Internet Banking Environment (2011)
The FFIEC guidance is issued by Government regulators to financial institutions. As these institutions started offering more and more online services, they have used the flexibility in the language above to use the services of data brokers to meet the "Know Your Customer" regulations for remote identity proofing.
This should not matter to public sector services but unfortunately it does. Due to the often complex and sometimes byzantine nature of the laws, regulations, policies, rules and process overhead that govern the sharing of information between agencies regarding identity verification of citizens, it is simply easier for agencies to contract with and utilize the same identity proofing services used by the financial institutions. This marriage of convenience is now affected by these data breaches.
Are there alternatives? Yes, but they are neither easy or plug and play. I believe there is a role for the public sector in identity establishment but that will take a clear focus on results, the ability to work across agency boundaries and political will. At the same time, given the existing deep relationships public sector agencies have with Citizens, the ability to leverage private transactional behavior/data based compensating controls may be an option as well. Again, not a plug and play solution, but one that comes with its own challenges.
In either case, this is a real problem with real consequences that needs to be discussed and addressed.
- Brian Krebs: Data Broker Giants Hacked by ID Theft Service
- Identity Establishment and the Role of the Public Sector
- FFIEC and NIST Authentication Guidance. Does a Token Venn Diagram Exist?
- NIST SP 800-63-2: Electronic Authentication Guideline (PDF)
- FFIEC - Supplement to Authentication in an Internet Banking Environment (PDF)
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.