From KBA to MFA: Why knowledge-based authentication is out

Michael Jenkins

Knowledge-based authentication is inherently flawed, and yet it lingers in security models. Multifactor authentication helps improve online security.

"The password is dead” has been a refrain in information technology (IT) for the entire 21st century. In 2004, alongside hailing the rise of 64-bit computing, Bill Gates proclaimed “There is no doubt that over time, people are going to rely less and less on passwords,” and he predicted the use of smart cards and biometrics. However, decades later, 75% of Americans struggle to keep track of their passwords, and only 37% use multifactor authentication (MFA). Passwords and other forms of knowledge-based authentication (KBA) still represent a core component of modern security despite inherent flaws and the constant advancement of attacks.

Why passwords endure

Passwords remain prevalent despite suffering from innate vulnerability and user frustration for three primary reasons. First, users are already familiar with creating and maintaining passwords. While using a “secret phrase” is a simple concept that is easy to learn, MFA is more complex and suffers from accessibility issues with older demographics. Second, almost all online services offer password authentication, but fewer offer multifactor authentication. Additionally, services sometimes charge extra to use advanced authentication, and setup can be time consuming. Third, passwords can be easily implemented and managed by developers. Passwords can be simply stored in a database where they can be compared and altered in a single location. In contrast, other forms of authentication require multiple devices and services to communicate and synchronize data.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

Subscribe now

Limitations of knowledge-based authentication

The weaknesses of passwords are both obvious and abstract because of their ubiquitous use in current authentication. But neither end users nor IT staff fully embrace passwords. Password security depends on end users selecting unique and secure values that are hard to guess. To nudge them in a secure direction, many IT staff impose mitigations such as minimum length, complexity, lifetime, and reuse restrictions. However, some complexity and lifetime mitigations backfire and result in weaker passwords and increased reuse, which can lead to password compromises – the main cause for 86% of web application breaches.

Despite being a “memorized secret,” secure passwords are difficult for humans to memorize. On average, most U.S. users must manage credentials to 200 online accounts. It is inevitable that some of these passwords will be forgotten or lost, creating a resource drain on the services and IT staff responsible for resetting them.

When faced with impossible feats of memorization, many users fall victim to subpar coping behaviors. One such behavior is using personal information that could be publicly available. A 2019 poll found that nearly 59% of users included a name or birthday in their account password, and 33% used a pet’s name. Attackers can easily discover this information, so this coping behavior makes passwords weak and predictable.

Another risky behavior is reusing passwords across multiple sites. The 2022 SpyCloud “Annual Identity Exposure Report” noted a 64% password reuse rate among users for whom at least one password had been exposed in 2021. Password reuse is a serious threat vector, and cybercriminals can take advantage of this practice more easily when users recycle their passwords across accounts. Additionally, reusing passwords is akin to placing multiple eggs into a single basket. If a single site suffers a breach, attackers can gain access to the one site and every other site sharing credentials with it.

It is inherently easier for a computer to attempt millions of passwords per second than it is for a human being to memorize a single unique one. This imbalance continually becomes more striking as computers become more powerful. The result is a painful tradeoff between security and usability in which the minimum secure threshold rises ever higher in a race against attackers and password cracking.

That they can be stolen at all demonstrates how weak passwords are. Whether a password is stored in an encrypted form or in plaintext, breached password data can ultimately be used to abuse the privileges of an account. This weakness places a target on central identity stores, such as web application databases, where a successful structured query language injection attack could result in a massive breach. Passwords can also be stolen by exploiting human vulnerabilities through phishing attacks. The strength of a user’s password becomes irrelevant if they simply hand it over in response to the latest phishing technique.

Some solutions can help individual users and organizations manage passwords and promote more secure practices. Password vaulting and privileged access management (PAM) solutions enable users to securely store passwords in a central location behind a single, strong credential. Further, these solutions empower users to use much stronger passwords and even completely randomized values as they only need to memorize the single, strong credential. However, these solutions are imperfect, and the innate vulnerabilities of passwords can persist. The password data stored within the solutions can still be shared or breached to abuse privileges. Like a web application password database, these solutions represent a single point of security failure. Additionally, if a login does not support copy and paste or auto-login functionality, users are still tempted to create weak passwords to reduce typing.

Security questions: The opposite of secure

Passwords are not the only form of knowledge-based authentication that continues to plague security. Many organizations from banks to airlines rely on security questions. The goal of these is to provide a level of security without memorization by asking for personal information that users already know. Some sites even use security questions to validate password reset requests, effectively giving them the same power and danger of compromise.

The first issue with security questions is that they often rely upon nonconfidential information. Few individuals fiercely guard the knowledge of their birthday, favorite book, or the model of their first car. Such personal information makes security questions ineffective because it can be easy to acquire through social media and social engineering. Personal details are also far from unique. If you ask English speakers what their favorite food is, there is nearly a 19.7% chance that it is pizza.

The second issue surfaces because tying security questions to real-life information introduces reset dilemmas. If a password is leaked, it can simply be changed to a new random value. Meanwhile, someone’s mother would find it much harder to change her maiden name without witness protection or time travel.

The third issue with security questions is reliability. Despite using already memorized material, users can forget the exact data recorded as an answer. Some details such as favorite songs can change with time and others like the name of a first-grade teacher rely on distant memory. Even the format of answers can be ambiguous. When entering a high school mascot, should the name be capitalized? Should colors or school names be included? Is punctuation or whitespace needed?

Security questions are so notoriously flawed that industry guidance and standards organizations have called for their retirement. A common recommendation for security questions is to simply lie and instead set answers to random strings of characters. This questionable strategy effectively recreates the password, a superior yet still problematic form of knowledge-based authentication. Security questions are so problematic that the National Institute of Standards and Technology even removed “pre-registered knowledge” as a form of recommended authentication in its publication “Digital Identity Guidelines: Authentication and Lifecycle Management.”

Flaws with alternative knowledge-based authentication

Although passwords and security questions are the poster children of KBA, other forms of authentication have made their way to device logins, including personal identification number (PIN) codes and graphical passwords. Traditional PIN codes suffer the same vulnerabilities as passwords in addition to a typically reduced length and key space. These features make them unsuitable as authentication unless supported by an aggressive and tamper-resistant lockout.

One note: Many modern PIN systems, such as Microsoft Windows Hello™, are not fully KBA because they are backed by hardware. In these implementations, a tamper-resistant cryptographic module is responsible for the login operations, and the PIN is only an activation.

Another form of alternative KBA is the graphical password, initially introduced to enable users to log in to a system by clicking on points on a displayed image. Graphical passwords possess similar effective length and key space issues as PIN codes, as complex and long operations are difficult to perform reliably. Additionally, many users click on images in similar and predictable ways, making the passwords easier to guess. For these reasons, even level 1 Center for Internet Security benchmarks require graphical passwords be disabled.

Moving toward MFA

Although knowledge-based authentication has sufficed from early computing to today, it is no longer sufficient to protect users and their numerous accounts. As cyberattacks accelerate, the balancing act of convenience and security will only worsen unless a new paradigm of authentication is widely employed. MFA remedies the weaknesses of KBA by providing resistance against phishing, insecure configuration, and credential theft. In the absence of MFA on a site, users will need to continue resorting to using random strings for passwords and answers to (so-called) security questions and storing that information in robust password vaults.

Organizations can take the following steps to implement MFA:

Identify authentication requirements. Organizations should analyze the current state of their IT infrastructure, identify all current authentication methods, and document business and compliance requirements. This analysis should include reviewing “forgotten password” and other password reset mechanisms. This process helps ensure that a potential MFA solution considers all use cases and determines the scope of implementation.
Identify MFA solutions. Organizations should devote time and resources to researching various MFA solutions. Factors like cost, compatibility with existing infrastructure, ease of implementation, and vendor reputation should be considered. Different MFA solutions provide different levels of protection and usability. The right solution will balance security needs and budgetary constraints.
Perform a cost-benefit analysis. MFA implementation incurs direct expenses (like purchasing the solution) and indirect ones (like possible decrease in productivity during the transition period). When compared to the potential costs of a security breach, realizing the likely lower cost of an MFA solution can help stakeholders and leadership make the investment.
Develop a rollout plan. To achieve better adoption of MFA among end users, organizations should plan a gradual phased rollout. A structured deployment reduces risk, minimizes downtime, and fosters a positive environment for user feedback. The rollout plan should be revised to address issues as they emerge, and any exceptions should be documented.
Pilot the MFA solution. Before deploying any solution on a large scale, organizations should test it on a small scale to confirm it works as intended and to address potential issues. A trial run smoothens the final rollout and alerts the team to potential difficulties.
Educate users. Along with the rollout plan, organizations should train employees about the benefits of MFA, how to use it, and best practices. An informed end user is crucial to the success of MFA. Their understanding and buy-in is needed to reinforce the security culture.
Monitor and improve the MFA solution. Organizations should implement the multifactor authentication solution according to the rollout plan. After the MFA rollout, they should continually monitor its effectiveness though defined performance indicators, gather feedback from users, and make adjustments as necessary to improve usability. Any documented exceptions should be reviewed and renewed if needed on a regular basis.

KBA to MFA to FIDO

Whether MFA serves as a complement to KBA or fully replaces KBA with newer standards such as fast identity online (FIDO), it must reach mainstream adoption and become both available and required in all facets of online life. Moving from KBA to MFA and eventually to FIDO can help individuals and organizations establish better best practices and strengthen their cyber resilience.

Microsoft and Windows Hello are trademarks of the Microsoft group of companies.

Cybersecurity Cyber resilience Passwords Security awareness

Previous Post Next Post

Manage risks. Monitor threats. Enhance digital security. Build cyber resilience.

Discover how Crowe cybersecurity specialists help organizations like yours update, expand, and reinforce protection and recovery systems.

Explore services