It’s a familiar experience to log into a secure website and be asked to enter a security code sent to either your mobile device or email. This two-factor authentication is one of the most commonly used forms of multifactor authentication—a broad term applying to practices that help confirm a person’s identity with a combination of something they know (e.g., their login password), something they have (e.g., a mobile phone), or something they are (a specific person with unique fingerprints, for example).
This login scenario is just one illustration of how multifactor authentication can be applied, and as security professionals know, its uses are by no means limited to an online context. In any scenario where security is desired, each additional factor or “layer” of authentication adds certainty that a user or patron is who they claim to be and is authorized to be transacting with the organization. Many companies are now implementing knowledge-based authentication (KBA) to meet this challenge. However, this approach has its drawbacks. Read on to learn why.
Finding the Right Balance of Security Measures
For many organizations that wish to improve their security, the biggest challenge is finding a balance of measures that are sufficiently secure, user-friendly for both staff and patrons, and that work well with the atmosphere the organization wishes to cultivate.
In the offline, three-dimensional world, asking a user to present an ID is the beginning and end of security for many organizations. But as identity theft and counterfeit identity documents continue to proliferate, many companies are interested in going beyond a simple ID check to help protect themselves against fraud, financial loss, or potential legal violations.
Knowledge-Based Authentication—What’s the Risk?
Implementing knowledge-based authentication is a common way for organizations to dip their toe in adding a layer of security. With this practice, organizations ask a patron to provide a piece of information such as their mother’s maiden name to help authenticate the patron’s identity. KBA is seen as relatively simple to implement, as it typically only requires a software partner that can provide the technology and database.
The drawback, of course, is that knowledge-based authentication measures can be readily defeated by identity thieves. News headlines abound about celebrities and public figures who have had their online accounts hacked due to how easily their personal information can be found. The security risk applies for private citizens as well—both online and offline—thanks to our participation on social media and other online hubs where information such as family members’ names, schools attended, and pet names is easily discoverable. Because of this, organizations that implement knowledge-based authentication often find that it fails to cut down on fraud as dramatically as they had hoped.
Physical ID Authentication in a Layered Approach
Many companies are finding success by implementing physical ID authentication. By confirming the validity of a patron’s ID document in real time, and confirming that the patron is its rightful holder, companies can be more certain of their patrons’ identities. Physical ID authentication is performed with technology that authenticates data from the readable components of an ID (for example, comparing the barcode data with the printed characters on the document) and also verifies the security features of the document, such as specific inks visible only under certain light. This security measure can also be combined with other factors, such as a watchlist feature that can flag VIPs or banned patrons when their ID is scanned.
The fact is that there are security risks for both the “something they have” and the “something they know” factors of ID authentication. As long as forged ID documents remain in circulation, and as long as individuals’ personal information is readily accessible by identity thieves, organizations will need to think carefully about how they can best combine authentication factors to achieve their goals. Properly authenticating ID documents is a crucial part of a multifactor authentication approach.
Updated: 12/2/2022