Even when you tell apps and sites to \u201cremember me,\u201d modern life involves lots of logging in. When you enter your username and password you\u2019re validating that you are who you say you are, a process known as \u201cauthentication.\u201d <\/p>\n\n\n\n
Passwords, as we unfortunately know, are often easy to guess or break and are often stolen in data breaches. So sensitive sites often require a second form of authentication, such as security questions. That\u2019s called knowledge-based authentication, because it relies on something that you \u2014 and ideally, only you \u2014 know. It\u2019s a widely used security measure, but it isn\u2019t always especially secure. <\/p>\n\n\n\n
There are three basic approaches to authentication<\/a>, which are usually summed up as \u201csomething you have,\u201d \u201csomething you are\u201d and \u201csomething you know.\u201d\u00a0 The first describes physical objects that can serve as an authentication key, and this category includes things like physical dongles and swipe cards, or your phone.\u00a0 The second describes biometric authentication, which reads a fingerprint or a palmprint, or perhaps uses facial recognition, to establish your identity.\u00a0<\/p>\n\n\n\n The third, \u201csomething you know,\u201d is \u2014 logically enough \u2014 the basis of knowledge-based authentication, or KBA. The goal is to establish your identity by asking something that only you would know, as a backup to your existing password. <\/p>\n\n\n\n There\u2019s always a catch, of course, and in this case it\u2019s settling on things that only you would know. The most common version of KBA is the predictable set of well-known security questions you\u2019ll find on a lot of sites. They\u2019ll typically include things like your mother\u2019s maiden name, the name of your first pet, or the first school you attended. Unfortunately those questions \u2014 precisely because they\u2019re so predictable \u2014 aren\u2019t very useful for securing your account. <\/p>\n\n\n\n Don\u2019t panic yet, though, because there\u2019s more than one approach to knowledge-based authentication<\/a>.\u00a0 Those traditional security questions are referred to as \u201cstatic\u201d KBA, because they lean on pieces of information that are unchanging.\u00a0 They\u2019re easily researched, and where they can\u2019t be researched they can often be uncovered through a phishing email<\/a>, a scam call<\/a> or a bit of online chit chat with a catfishing scammer<\/a>.\u00a0<\/p>\n\n\n\n Companies needing a better form of authentication use what\u2019s called \u201cdynamic\u201d KBA. That means the questions and answers aren\u2019t settled in advance. Instead, when you need to authenticate your account, the company\u2019s system will choose information drawn from its own records or things like your credit report. For example, you might be asked what was the biggest or most recent charge on your credit card in the past week, or which of three addresses you\u2019d lived in during a specific year. <\/p>\n\n\n\n Enhanced dynamic KBA takes that a step further, by relying on proprietary data that outsiders (theoretically) have no access to. Instead of generating a question from your credit report, for example, a retailer might ask you for details from a previous purchase. The most advanced form doesn\u2019t rely on questions at all, but tracks your normal behavior and flags variations from that behavior. <\/p>\n\n\n\n Dynamic KBA isn\u2019t perfect \u2014 it\u2019s possible for hackers to steal proprietary information, for example \u2014 but it\u2019s substantially more secure, and more difficult to get around, than static KBA. <\/p>\n\n\n\n Let\u2019s start by saying firmly that any<\/em> form of secondary authentication is better than none at all.\u00a0 At the time of writing, breach-tracking site Have I Been Pwned?<\/a> counted well over 12 billion compromised accounts, many of which included full username and password combinations (it\u2019s worth checking to see if you\u2019ve been personally compromised in any of them).\u00a0 Those details can be purchased for pennies on the black market, so without some form of secondary authentication scammers can simply write a bot that tries your credentials on tens of thousands of sites (or apps) every hour until it finds one it can exploit.\u00a0 This is called \u201ccredential stuffing<\/a>,\u201d and it\u2019s used a lot.\u00a0<\/p>\n\n\n\n Dynamic KBA is significantly more secure than static, but unfortunately you don\u2019t get to choose what authentication options are provided by a given company\u2019s site or app. You can lobby for better authentication options, and you can certainly \u201cvote with your feet\u201d by choosing to deal instead with companies that provide more secure authentication, but that\u2019s not always a good option. <\/p>\n\n\n\n If you\u2019re stuck with static KBA and the usual, predictable handful of security questions, there are still a few things you can do to make yourself more secure. You could choose whichever question is known to the fewest others, or is the hardest to research, for example. A more useful option is simply to \u2026 lie. Seriously, nobody\u2019s policing this. Instead of your mother\u2019s maiden name, use the name of a favorite fictional character. Invent a dog, or a school. Just make sure you record your answers somewhere (if you\u2019re using a password manager, that\u2019s a good choice) and that your next of kin know where to find the answers in a worst-case scenario. <\/p>\n\n\n\n The good news is that knowledge-based authentication is not usually your only option. Most sites and apps will send you a code via text, email or push notification that can serve as your second form of authentication. This isn\u2019t foolproof, but it\u2019s not as easy to defeat as basic, static KBA questions. <\/p>\n\n\n\n Better options include authentication apps like Authy or Google Authenticator, physical keys and dongles or a \u201ctoken\u201d system that turns your phone itself into a physical security key. Biometric authentication, using your device\u2019s fingerprint reader or facial recognition, is also much more secure. <\/p>\n\n\n\n No one site or app supports all forms of authentication, so use the most secure option that\u2019s available to you (and that you\u2019re comfortable with) on a case-by-case basis. Generally that\u2019s a physical key or biometric authentication, but authenticator apps are also pretty secure. If you make the best possible authentication option a regular part of your online routine, along with other core precautions like strong passwords and a skeptical attitude toward links in your emails and texts, you\u2019ll keep your risk of hacking or identity theft to their bare minimum. <\/p>\n\n\n\n Sources:<\/strong><\/p>\n\n\n\n Skilsoft Global Knowledge – The Three Types of Multi Factor Authentication (MFA)<\/a><\/p>\n\n\n\n The Guardian – Facebook Data Leak: Data From 533 Million Users Found on Website for Hackers<\/a>\u00a0<\/p>\n\n\n\n Techopedia – What is Knowledge Based Authentication?\u00a0<\/a><\/p>\n\n\n\n Have I Been Pwned? – Home<\/a><\/p>\n\n\n\nStatic, Dynamic, and Enhanced KBA<\/h2>\n\n\n\n
So Is<\/em> Knowledge-Based Authentication Secure? <\/h2>\n\n\n\n
There Are Better Forms of Authentication<\/h2>\n\n\n\n