Knowledge-Based Authentication: Hardly a Smart Idea

Unless you've been living under a rock, you've likely heard about the celebrity photo hacking incident that targeted high profile Apple users. The breach comes at a time when Apple has begun doubling down on its cloud services. According to the Wall Street Journal, the attack was successful due to a rather straightforward assault on two of Apple's authentication systems -- password-based authentication and knowledge-based authentication -- both of which pale in comparison to token-based authentication when it comes to security.

At its core, the Apple breach was a "brute-force attack," which means that the attackers kept inputting authentication credentials until the right ones provided access. On the password side of the authentication process, this means that hackers likely used a list of common passwords (read: "password" or "123456") repeatedly to log into the celebrities' iCloud accounts.

The Secure ID Coalition has repeatedly alerted the public to the dangers of password-based authentication systems. However, the danger lies not just with picking a secure password. Unless you're one of the 0.00001% of internet users that uses a unique password for every website, changes that frequently, and fails to store them somewhere, then you're still pretty vulnerable. Additionally, the hackers were able to disable the protocol designed to lock out users after multiple incorrect login attempts.

Apple CEO Tim Cook also acknowledged that the accounts may have also been compromised when hackers correctly answered security questions to obtain access to the celebrities' iCloud accounts. This brings to light the danger of another class of verification systems: knowledge-based authentication. Knowledge-based or data-based authentication systems use information to generate questions that, in theory, only a legitimate user would know.

Sounds great in theory right? Well in practice these systems are highly insecure because these systems rely on publically-available information to generate the questions. In a move that will likely increase fraud, some states have begun using such "big data" approaches in verifying welfare eligibility using -- you guessed it -- information in the public record. The danger isn't removed with the shift to so-called "private" information however, because hackers can likely find out anything you may list as the answer to a supposedly "secret question" if they watch you long enough. (Come to think of it, how many financial institutions make you write down your mother's maiden name? As if that's some sort of super-secret knowledge that no one else, let alone your entire family, has access to.)

For example, when you apply for your credit report on, the federally-sanctioned website for receiving your annual credit reports, the website generates security questions using commonly-available information. Any of your acquaintances know one of your prior addresses or roommate that you previously lived with? If so, they've likely already beaten the security procedures on this federally-sanctioned site.

The point of all this is that there is no substitute for a physical token such as a smartcard that cannot be replicated or reproduced as the foundation for identity security. Anything less is just not smart.


0 # profile 2018-11-01 06:35
Need cheap hosting? Try webhosting1st, just $10 for an year.

Reply | Reply with quote | Quote

Add comment

Security code

Learn How