Archive for the ‘KBA’ category

Why are security phrases a bad idea?

May 19, 2010

The title of this post was the security pass phrase question I chose when registering for online access to a financial services firm. I called aforementioned financial services firm today and when prompted for the answer by the customer service representative, I responded “because you can’t remember the questions or answers.” Unfortunately, that was not the correct response to this knowledge based authentication (KBA) question. However, this experience is another example of why static KBA systems are a bad idea – usability. I registered for access so long ago that I can’t remember the response (I usually include them in my password safe, but did not in this instance). Being an identity-privacy zealot, I did not enter one of the usual KBA questions like, what was the first car you owned or where did I go to high school.

Why are static KBA systems still in use? They are a very weak link in the security chain, but used by so many web sites including, supposedly, security conscious banking sites. In the age of Google and Facebook, the list of good KBA questions is effectively zero. I will be happy when my account is closed with this financial institution!