Why are security phrases a bad idea?
The title of this post was the security pass phrase question I chose when registering for online access to a financial services firm. I called aforementioned financial services firm today and when prompted for the answer by the customer service representative, I responded “because you can’t remember the questions or answers.” Unfortunately, that was not the correct response to this knowledge based authentication (KBA) question. However, this experience is another example of why static KBA systems are a bad idea – usability. I registered for access so long ago that I can’t remember the response (I usually include them in my password safe, but did not in this instance). Being an identity-privacy zealot, I did not enter one of the usual KBA questions like, what was the first car you owned or where did I go to high school.
Why are static KBA systems still in use? They are a very weak link in the security chain, but used by so many web sites including, supposedly, security conscious banking sites. In the age of Google and Facebook, the list of good KBA questions is effectively zero. I will be happy when my account is closed with this financial institution!
Explore posts in the same categories: KBA
Analyzing Identity 
May 20, 2010 at 1:16 pm
[…] This type of static knowledge authentication is simply NOT suitable to authenticate any transaction that requires more than a very minimal level of assurance, and it is very naïve to use it for online banking (see also). […]
May 24, 2010 at 4:12 am
Dynamic KBA while better than static has its own challenges including but not limited to:
– Determining a credible source of data
– Adding costs associated with procuring a credible source of data
– Having to collect even more personally identifiable information such that you can query a credible source of data