NIST Electronic Authentication Guideline (SP 800-63) does not permit Knowledge Based Authentication (KBA) as a viable “something you know” authentication factor (Instant KBA). But it also notes that "knowledge based authentication techniques are included as part of registration" which is sometimes confusing. The term KBA is overloaded, often misused, and needs to be clarified based on the usage context.
'Instant KBA' is a non-starter since it uses private but not secret information, and is not implemented as part of a discrete enrollment or registration process which could add compensating controls.
Verification is typically what people mean when they speak of using (dynamic) KBA for registration and/or identity proofing. You use out of wallet questions, often based on transaction details, to link a set of attributes to a particular person. You can also use out of band feedback mechanisms to mitigate threats to the linking process.
The presumption is that the set of attributes you are linking the person to is accurate and timely.
But is that always true?
Validation is about checking to see if the set of attributes exist, is accurate, and is timely by referencing the authoritative source of those attributes. It can also be set up to use multiple sources of information to mitigate registration threats and attacks.
If the check is not with authoritative source(s), the entity that is doing the checking is using acquired metadata about the authoritative data. So given sufficient motivation and means, other entities could get access to the same metadata.
So, let me discuss the realationship between an Identity Manager (IM) and an Authoritative Source and how that impacts validation and verification. The Identity Manager could be a vital records agency, a data broker, a credit bureau, a commercial provider etc.
|Identity Manager = Authoritative Source||Identity Manager ≠ Authoritative Source|
|Identity Assurance||Direct Assertion||Indirect Assertion|
If an RP is engaging the services of an Identity Manager that is NOT an Authoritative Source, I would recommend asking some detailed questions regarding the sources and methods the Identity Manager uses to ensure uniqueness as well as validate and verify the information the RP requires.
- Breaking Identity Proofing to Enable Online Services
- Does KBA and Public Sector Online Services Have a Future?
- The Venn of Identity Proofing and Identity Resolution Attributes
- HOW TO Choose Attributes to Uniquely Identify a Person
- IDMGOV INFO: FICAM TFS Component Identity Services Terminology
- NIST SP 800-63-2: Electronic Authentication Guideline (PDF)
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.