All the way back from March.  Can’t believe I missed this for so long.

Much as I’d like to say that consumers aren’t so much against “working for” strong authentication as they are at recognizing that KBA isn’t actually providing any security, at least the results are the same.  KBA is being rejected.  KBA doesn’t protect against even phishing and is just another set of hard to remember and manage passwords.

I still contend that users will definitely work for and even pay for strong authentication if they believe it is effective and if they believe what they are protecting has value to them.  Why should I worry about my credit card being compromised when I know my liability is limited to $50 or some such manageable number.  Heck, my credit card has been stolen a couple times via physical POS situations and it has never cost me any out of pocket money and at worst a couple minutes on the phone with my credit card company.  Of course, it does cost me something as the losses to merchants and banks end up reflected back to me in increased fees, rates, etc., but all that disappears into the great “cost of doing business” economic effect.

Which then brings up the question as to why financial institutions, merchants, etc. aren’t looking to reduce their costs and increase their margins by offering strong authentication to:

• Give themselves a competitive edge over their competitors on margin
• Give themselves a competitive edge in customer loyalty by taking better care of their customers
• Offer price breaks and other incentives for customers that use offered strong authentication mechanisms

One of the online communities I spend time in has actually begun to self-regulate itself along the lines of those that use strong authentication and those that don’t.  Want to participate with a group in that community?  You have to use strong authentication offered in the context of that community.  You don’t have to, but if you don’t you are precluded from interactions with the “better elements” of that community.

Just something to consider.

1. A user you don’t know.
2. A user you do know.

The user you don’t know

Typically this is when a user shows up to register for service and likely will end up with an authentication credential at the end of the process, which they will use going forward to authenticate themselves.  KBA is generally used in this case to prove or establish the identity of the user and again, generally for services where the user’s true identity really matters because of regulations or other legal “know your customer” types of strictures.

The user you do know

This is for the situation where a registered user who does have a valid credential / identity with you, but for some reason isn’t able to utilize that authentication mechanic to login.  Typical use cases for this are when the user is for one of the following reasons unable to login with their proper credential:

• User has forgotten their password.
• User does not have access to their second (or third) factor in a strong authentication situation.  Anyone who has needed to login when they didn’t have their hardware (OTP token, hardware smartcard) or software token (cookie, software token, software smartcard) has at one time or another encountered this scenario.

Types of KBA

There are three methods of accomplishing KBA.

1. Questions the user knows, but you do not.  Generally speaking these Q&A pairs are obtained via services that utilize public or semi-public data sources to ask questions about a user.  These questions can take a wide range of form and are often referred to as “out of wallet” questions as they questions that couldn’t be answered by a thief who as stolen a users wallet.
   • Provide the address where the user lived during a range of dates.
   • Provide the amount of a recurring payment (mortgage, car, etc.)
   • Provide the proper relationship (spouse, father, sibling, etc.) the user has with a name person.
   • Other questions that can be directly or indirectly built from public and semi-public information.
2. Questions both the user and you know because of a prior existing relationship outside the online channel.  These Q&A pairs are derived from information you have about the user from a relationship you have with them outside the online relationship.  This can take any number of forms, but the typical scenario most are familiar with are:
   • Amount of last transaction
   • Account number used to make transactions
   • Other information you have that the valid user should know or be able to readily obtain.
3. Questions you and the user both know because the question / answer pairs were setup as part of the online relationship.  These Q&A answer pairs are either previously arranged (consequently often referred to as “static KBA”), usually at registration or something setup post-registration as part of the user’s profile specifically for helping the user accomplish authenticating themselves when there is an issue using their normal authentication credential.

Clearly, KBA Type #1 is great to use for those users you don’t know and want to identify as being exactly the person they claim to be.  If you are setting up an online relationship from scratch and don’t have any prior basis upon which to “know your customer” and need to know that John Smith is the John Smith at 123 Main St., Somewhere, Ohio, U.S.A. and want to do this all online, then is a good way to go about it.  There are a fair number of services that provide exactly this function, generally used at registration or initial provisioning of login credentials.  One of the main considerations to bear in mind when shopping for these services is how well they structure the questions such that the legitimate user can answer them and an attacker can’t obtain the answers from publicly available sources or guess the answers.  This can be harder than it sounds as balancing the increased security of this type of KBA vs. static KBA and keeping the questions from frustrating and confusing end users, is a tricky proposition.

This isn’t to say that KBA Type #1 can’t be used for other use cases such as self-service forgotten password resets or “step-up” authentication or other secondary authentication use cases.  It can be used for those as well, but may be a higher cost type of transaction than using either KBA Type #2 or #3. 

KBA Type #2 is a lower cost option when having an existing cusstomer you know sign-up online for services.  This can also be used for other use cases as well, though asking questions that aren’t too readily guessable or aren’t reused too often can be difficult depending on the amount of variable, private or semi-private information you have on your customers.  For instance, my mobile phone bill doesn’t vary that much month to month and the people I call are probably pretty easy to guess for anyone willing to spend a bit of time researching me, so those types of questions wouldn’t serve very well.

Which brings us to KBA Type #3.  All of us that participate in much of anything online are familiar with this one.  You set up an account and at registration are asked to setup at least one or more questions to be asked for any number of reasons including:

• Self-service “forgot your password?” scenarios
• Various renditions of, “We don’t recognize you having used this computer”, “We want to verify you’re identity”, “Reset your <proprietarily named security “token”>”.  This occurs when you are logging in from a device the site doesn’t recognize or you or your anti-virus / anti-malware software deleted your cookies such that the authenticating site wants to make sure you aren’t an imposter.
• Step-up authentication.   You attempt some transaction or behavior deemed “risky” by the site, so again, they want to ensure you aren’t an imposter.

You usually get to pick from a list of drop down questions and in some cases even can write your own questions.  This is popular since it is inexpensive as there is no service provider to pay and reduces the number of help desk calls for high frequency events, such as “I forgot my password”. 

There are a couple drawbacks.

• You don’t want to have users setup questions that are easily guessed or readily discovered (mother’s maiden name) or for which the set of answers is small (many people have the favorite color blue).
• Users don’t remember answers to less obvious questions, fail the step and call the help desk anyway.
• The simpler you try to make it by keeping the number of questions low and even with complicated questions, the entire scenario of static KBA is prone to phishing and guessing attacks.  After all, KBA Type #3 (aka “static KBA) is just another single factor, something you know, shared secret, i.e. a ”password”.

There have been an increasing number of news items about the compromise of politicians, celebrities and even services being “owned” via KBA compromise.  Which brings me back to the beginning of this article and why I am hearing so many questions and such confusion over the issue of KBA. 

Folks want to know:

• What are the best questions to ask?
• How many questions should I ask?
• Do I provide questions or let the user pick their own?
• Should I use static / Type #3 KBA at all or go with Type #1 KBA for all use cases?

These are tough questions to answer in the face of KBA’s growing list of failures.  Mark Diodati over at Burton Group has written a ton on the issues of KBA and in a May 29th article states what my personal opinion is with regard to KBA:  “Can We Finally Commit to the End of Knowledge-Based Authentication?“.

Yahoo and Google, who in the last year have both had high-profile users in the news with compromised accounts because of hacked KBA, have apparently decided that KBA needs help.  They are both offering the ability for end-users to use their mobile phones instead of KBA for resetting passwords and I hope for any other secondary authentication opportunities that may arise in the use of their services.

Yahoo’s wording is:  “Having your mobile number will help future password reset attempts. ”  I thought for sure I had a security question setup on Yahoo, but now can’t find it anywhere.  My test drive of their forgotten password procedure tonight shows that my phone is the default or I can pick a non-Yahoo email to use for the ID verification step.  No security question offered.  I don’t know how much they are promoting this yet, but hopefully a lot and soon.

Google’s Account setting page lists email, SMS to your phone and a security as options for password recovery.  When I ran my test there tonight I was advised that an email and a SMS phone message had been sent to assist me in recovering my password and a link for each was provided so I could pick which I wanted to use.  While Google does still have a security question and answer, that can’t be used until my account has been idle for 24 hours.  Interesting compromise.

Which brings me to the title of this article “Trend in KBA?”.  Google and Yahoo are moving away from KBA, static, Type 3 KBA to be exact, shouldn’t those for whom reputation is even more important consider doing so?  I know this is a battle that till now has been dominated by the business and bean counter side of the organization while the security folks get ignored as usual as being unrealistic and alarmist.  Time to listen to the security folks and dump KBA.

Interesting comparison and contrasting of offerings, though oddly enough, Ping seems to be fairly well behind the other two on the surface of it.

You can read about it here if you want on the World of Warcraft related site, WoW.com:  “An Interview With a Scammer“.  You may not find the entire article interesting so you can cut right to the part of the article about OTPs by searching on “authenticator” as this is part of the branded name Blizzard (creators of WoW) has given to their OTP, “Blizzard Authenticator”.  If you’re uninterested in the article, here’s the money-quote:

Interviewer:  Do you have a way to get around the Authenticator?
Scammer:  Actually yes. For the very FIRST login, I can get around it. So I have to change the password then or make a quick clean sweep of the account.

Interviewer:  Ah, how do you do it?
Scammer:  Just enter the Authenticator code they put into my site.

So a couple of points I’d like to make that I’ve made in the past:

1. On the internet, where things happen in milliseconds, 30 or 60 seconds is a very long time.
2. Only one compromise of an account is needed to ruin your day and make the scammer richer.
3. Consequently, OTPs aren’t really all that good at protecting you when logging into a website.
4. OTPs can be a solid protection when used in conjunction with a thick client such as an IPSec VPN client or in this particular case, the WoW game client.  This is because it is much tougher to gain enough access to a PC to steal your keystrokes outside a browser in real time than from a field you type into inside a browser.

Which is why I bought ($6.50) a Blizzard Authenticator as soon as I could get my hands on one and why I try to never log into my account within a browser and when I do, I am very, very careful.  I only do so from a machine that I protect jealously and by typing in the worldofwarcraft.com URL myself.

Consequently, OTPs do have a place and can be of some value if you understand the risk, but do not fool yourself into thinking that because you are using an OTP that you are bulletproof.

How to Spot a Fake Census Worker
Remember, if anyone says, “I’m from the government and I’m here to help”… Don’t believe it and you should probably be plotting a run for your gun!

MLB Nearing $1 Million in iPhone Revenue
Content is king and funny how if you provide anything of value, users have no problem finding, downloading, using and even paying for a special “thick” client.

Reinventing the Book in the Age of the Web
I’d buy a Kindle tomorrow if 1) it did ANYTHING else or was more around $250. I can’t see spending much more on a book reader than I would for a large MP3 player or PSP or DS.

Panda introduces cloud-based free antivirus
Increasingly no need to be paying for anti-virus. If you’re ISP doesn’t give you a copy for free, then investigate the other free alternatives of which this is just the most recent.

The problem holding any such system from emerging is an underlying liability infrastructure so everyone knows who is taking what risks and who gets screwed when the excrement hits the fan at any given stage.  The banks formed Visa and signed onto a rule-set that was then taken and marketed to merchants and customers who signed up for their various parts including risk exposure, penalties, etc..  PayPal came along and while they did offer their own guarantees and manage their own risk, they really rode the pre-existing liability infrastructures of Visa, Mastercard, etc.

So where does a wannabe emergent identity system get an existing liability infrastructure from which to launch to victory?  Who vets and backs online identities tied to actual, legally prosecutable individuals across more than one system that isn’t tied to a payment instrument?  I can’t think of any.  Everyone that wants my business or would have potential cause to persue me for some type of fraud requests a payment device from me.  My credit card number, bank account number, etc.

AaaHa!  So the banks should be the ones that issue my identity… uh wait a minute.  Banks are slow, uninnovative, fraidy-cats, which is why PayPal got to be what it is.

Yeah, so there we are.  Back to square one.  Perhaps Facebook Connect will lead the way, but they will have to a significantly better job of vetting users identity.  I’m not sure about you, but I’ve got several Facebook accounts.  Which one is the actual me?  Or are they all?  Does it matter for an identity system?  Probably given that the main purpose of an identity system is to smooth the path to various forms of e-commerce. 

Dang!  Back to payment again!

Great posts and all of this is marvelous commentary on all that is wrong, what exists but isn’t enough and the remaining challenges, but are the players with the technology and know-how just going to sit by and let something coalesce out of the chaos?  Do they have a choice?  All the big players have a reason to hark back to the MS Passport / Hailstorm days and shiver, but what about the little guys with nothing to lose, but some sleep and VC money? 

Users are aware of the problems and looking for solutions.  One community alone is keeping the virtual shelves bare of even the hated OTP over at the Blizzard store* trying to protect their virtual loot in WoW.  I haven’t been able to order one, though I’ve been checking multiple times a day over the last month. You know from my previous posts, that I have an unnatural hatred of OTPs, yet I’m eager to get one for this very specific, non-single sign-on situation.

Do people really want a digital readout thing-a-ma-bob?  Not even with Blizzard stamped on it.  Do they want to make dang sure that their stuff doesn’t go missing as is happening with great frequency to their friends, even the supposedly security savvy? (no, it hasn’t happened to me <grin>).  Clearly, yes. 

Combine this article with the news today about the various worms running through the Facebook and MySpace communities, wouldn’t we expect these communities to react with the same vigor as the WoW folks?  Sure, there may not be as much virtual goodies to be stolen, but these sites reportedly thrive on something more important… my reputation with my friends and their friends and their… yeah, the social net thing.  However, regardless the supposed Data Portability announcements with some fuzzy commentary of “trusted authentication” among 3rd parties, where are the true security related announcements?   

The majority of these attacks start at the same place and the stories all begin with the same phrase:  “With the compromised credentials, the attacker… [insert virtual violation technique here]“.  As the MythBusters often exclaim whilst smacking their foreheads, “well THERE’s your problem!”.  If Startup X showed up tomorrow and gave users easy to use, very, very difficult to compromise credentials, that worked for even just the top 50% of sites they want security for, would they use it?  That question, along with “what would they pay?” are the two questions I always hear as the discussion killer by the jaded. 

But think how much happier users and vendors would be in the Blizzard Authenticator case if the solution was software based and not bound by the availability of what is apparently a strongly sought after physical item at $6.50 each.  That’s just for one site that 10+ million people care about.  Oh that’s right, those OTPs can’t be purchased outside the U.S. so the number of users keeping these in short supply is well south of 10 million.  Imagine then that your software only solution would truly be available to the global community and with significantly better margins than a physical device.  Getting anyone’s attention yet?

Is authentication enough to really generate strong numbers?  I think that it would, but consider if the credential were of a significantly powerful variety to provide functionality beyond authentication.  Then that brings in both fence-sitters and entirely new groups of users with different security and / or business interests.  Folks, there’s enough technology out there already available (with some about to make an appearance that I’ll chat about here when it is ready for public announcement) to put together a very compelling, game-changing and revenue generating service. 

Before you say, “No one would ever trust a startup / new entrant enough to permit the creation of an uber-powerful identity provider”, remember that is exactly what the banks and their blinder-wearing service providers said while PayPal came in and ate their lunch.  Funny that in the “Goodbye, Passwords” article, PayPal is properly called out as one of the key players in deciding what is and isn’t secure enough in Web 2.0 and beyond.

==========================================================

 * Loading the Blizzard store is still problematic as fans crush it for Blizzcon tickets as of 8/12/08.