Dynamic Knowledge- based Authentication Method
Option 1
Attached figure 1 above depicts the authentication method to be used in this project. Basically, this method is made up of two important application levels, which are identification level and authentication level. Initially, a user logs into the KBA website via the provided url e.g. www.KBA.com. The user registers by providing a username and email address for identification. The KBA system verifies by checking if the username and email address are unique and does not already exist, otherwise the username and email address are rejected. This information is therefore stored in the KBA database. Afterwards, the KBA system sends authentication request by prompting the user to answer four (4) challenge response questions one after the other which are:
1. how many friends have you added in the last one week?
2. how many friends request have you received in the last one week?
3. how many status update have done in the last one week?
4. And lastly, how many pictures have you added in the last one week?.
The authentication is done in real time by contacting the third party system (the third party system for this experiment is the social networking site, Facebook) and comparing the answers provided by the user. If the user is able to answer a minimum of three out of the four questions correctly, the user is granted access, otherwise access denied. In addition, considering the level of the KBA system’s tolerance, each question carries different percentage which are as follows:
• how many friends have you added in the last one week?- 30%
• how many friends request have you received in the last one week? -20%
• how many status update have done in the last one week? – 30%
• how many pictures have you added in the last one week?.- 20%
Therefore, if the user is able to answer all question correctly, that signifies 100% authentication while the minimum acceptance threshold rate is 70%.
Option 2
Proposed KBA Authentication Method (2)
An alternative to the method described above is also considered. In this alternative, a web based game would be used to generate data as the user participates by playing the game. This new dynamic KBA method requires that every user get authenticated by providing the correct answers to the generated out of fly questions. A game system serves as the third party system/public record for this new KBA system. Basically, this authentication method consists of two important application levels. They are the identification level and the authentication level.
Similar to the first option outlined above, a new user begins by logging into the KBA website via the url e.g. www.KBA.com ,providing a username and email address for identification. The KBA system verifies by checking for an existence of the new username and it’s corresponding email address. If the username and the corresponding email address are unique the KBA system accepts otherwise rejects it and the user is asked to provide another.
The new KBA further presents a game to be played by the new user after which the score, amount won, image won and lastly, the location would be stored in the database. This session is called the registration or the enrolment phase.
During the authentication phase, registered users are required to login with their username and answers to the out of fly generated question. This is equivalent to the popular username and the traditional text based passwords. The new KBA system sends an authentication request by prompting the user to answer one after the other, the following questions generated as a result of the game played during registration, for verification of identity. They are :
• What was your score the last time you played?
• How much did you win the last time you played?
• What image won the last time you played?
• What was your location the last time you played?
The KBA system verifies by contacting the game server database by comparing the provided answers with that in the game system database. If a user is able to answer all or minimum of three questions correctly, access is therefore granted, otherwise, the inability of a user to answer minimum of three questions correctly will cause the authentication to fail.
However, for every authentication or login stage, same questions will be asked but answers keep changing as a result of different outcome of every game played.
26/07/10
The Hypotheses
This is the most critical stage that forms the framework of the survey questions. According to Derek, S (2000), he defined hypotheses as a tentative or supposed proposition based on observed happenings or theories about a testable relationship or quality.
The aim of this project is to survey the feasibility of KBA and comparing it with a known authentication method. Research have shown that KBA has posed more questions based on users experience in the past. Amongst which are: should organisation enact authentication with information with information it already has? like recent bill amount, how detailed should KBA system be without intruding into users privacy? How acceptable is this method as a means of authentication? and lastly, is KBA quantifiable? (Hastings, N.E. & Dodson, D.F. 2004).
Therefore, staying within the scope of this project, predictions would be based on two broad criteria. They are usability; that is the ease of use of KBA and secondly, comparison with other authentication method such as the traditional text based password which is discussed in the following paragraph.
1. The Ease of Use
This aims not only at evaluating the usability of the new KBA system but also at the challenge response questions. How memorable are the answers to the KBA questions and also in terms of time consumption.
Hypothesis I:
It can be hypothesized that 90% of the users would prefer less than four questions to answer during authentication. while 10% would go for more than four question.
Please re-order the following statement according to your preference, from which one you found the most preferable (1) to which you found the least preferable (3) and zero (0) for I don’t know:
1. Question Index I don’t know
I prefer more than four questions during authentication 3
I prefer four questions during authentication 2
I prefer less than four questions during authentication 1
Hypothesis II:
According to the challenge response questions, it can be predicted that 50% of users would find the questions easy to answer within the time frame i.e. weekly ; 40% would find it difficult while 10% would neither find it difficult nor easy and finally, 0% for I don’t know. Reasons being that in terms memorability , users tend to forget answers to secret questions over a period of time defeating KBA as a method of authentication (Lowry, S)
Please re-order the following statement according to your preference, which one you found the most preferable (1) to which you found the least preferable (3) and zero (0) for I don’t know:
2. Question Index I don’t know
I found the questions easy to answer
I found the questions difficult to answer
I found the questions neither easy nor difficult to answer
Hypothesis III:
This cannot be determined now but depends on individual experience and memorability
Please re-order the following statement according to your preference, which one you found the most correct(1) to which you found the least correct (3):
3. Question Index I don’t know
I think it is difficult to remember the correct number of friends added last week
I think it is difficult to remember the correct number of status updates done last week
I think it is difficult to remember the correct number of pictures added last week
.
Hypothesis IV:
It may be predicted that 80% would agree with more than one minute time consumption; 5% for less than one minute and 15% for more than five minute. Of course, in terms of time consumption it may be assumed that more time would be required to answer the challenge questions compared with a six character text based password (Lowry, S).
Please re-order the following statement according to your preference, which one you found the most correct (1) to which you found the least correct (3):
4. Question Index I don’t know
It took me less than one minute to answer the challenge questions
It took me more than one minute to answer the challenge questions
It took me more than five minutes to answer the challenge questions
2. Comparison with other authentication Method
This is the most crucial and sensitive criterion that this experimental hypotheses are based on. It aims at testing the feasibility of KBA, especially, the dynamic KBA that uses questions and answers for verification of identity, whether it is worth adopting as a means of authentication compared with other methods such as the traditional text based passwords, and Bank card and PIN (Personal Identification Number).
Hypothesis V:
This will give an idea of the number of users that were successfully authenticated by the new KBA system and those that were not authenticated by the new KBA system. It may be of utmost surprise that half of the authentic users would fall under the category of “I was able to register but not authenticated due to their inability to remember the correct answers within the time frame (Just, M. 2004). While the statement “I was able to register and authenticated” also stands the chance of 50%. Finally, there may be none i.e.0% who falls under the remaining categories of “I was not able to register or “I don’t know”.
Please re-order the following statement according to your preference, which one you found the most correct answer (1) to which you found the least correct answer (3):
5. Question Index I don’t know
I was not able to register
I was able to register but not authenticated
I was able to register and authenticated
Hypothesis VI:
It can be hypothesized that the traditional password is likely to have the highest percentage. Findings have shown that traditional passwords are the most commonly used form of user authentication which require no specialised hardware or training (Kent, S 2003). KBA follows simply because the generated out of fly questions are simple and easy to remember. While, the Bank card and PIN is considered as the last but not the least simply because it requires specialised hardware coupled with the use of Personal Identification Number (PIN).
Please re-order the following methods of authentication according to which you found the easiest (1) to which you found the most difficult(3):
6. Question Index I don’t know
knowledge based authentication system 2
Traditional text based passwords 1
Bank card and PIN at an ATM machine 3
Hypothesis 7a:
It can be predicted that the traditional passwords stand a better chance, reason been that the new KBA method has just come into limelight and not yet widely deployed, compared with the traditional passwords that have been into existence a long time ago (eWeek.com)
Please re-order the following methods of authentication according to your preference, which one you found more preferable (1) to which you found the less preferable (2) to use.
7a. Question Index I don’t know
New KBA system 2
Traditional text based passwords 1
Hypothesis 7b:
If KBA does not have the highest percentage of preference then It is predicted to be 50-50. Although, KBA is not yet widely deployed, but it is becoming increasingly common. Also, out of wallet questions are memorable and answers changes with time but difficult for hackers to guess. While, passwords being the commonly used form of authentication are found out to be the source of many system security challenges (Yan, J, Blackwell, A., Anderson, R.& Grant, A).
Please re-order the following methods of authentication according to your preference, which one you found more preferable (1) to which you found the less preferable (2) in terms of security/trust for other applications such as Banking system:
7b. Question
New KBA system
Traditional text based passwords
The Survey Questionnaire
Cover Letter
Hello:
Dear Participant
You may know that I am researching for a Master thesis at Portsmouth University on Knowledge based Authentication using questions and answers. It is hoped that the results of this survey will be of practical use to us.
It would be of great help if you could spare a few minutes to take part in the experiment and complete the survey questionnaire even if you are unable to login. Please ask if you need any further details.
Thank you for your help at this busy time.
Yours sincerely
Caroline T. Ayodele
General Information
Username
Email Address
Please rate (Agree =1; Disagree= 2; I don’t Know= 0)
Question Agree Disagree I don’t Know
1. Would you agree if your personal data held in our database are used for your authentication
Please rate (Agree =1; Disagree= 2; I don’t Know= 0)
Question Agree Disagree I don’t Know
2. Before now I have heard of Knowledge based Authentication (KBA)
Please re-order the following statement according to your preference, from which one you found the most preferable (1) to which you found the least preferable (3) and zero (0) for I don’t know:
3. Question Index I don’t know
I prefer more than four questions during authentication
I prefer four questions during authentication
I prefer less than four questions during authentication
Please re-order the following statement according to your preference, which one you found the most preferable (1) to which you found the least preferable (3) and zero (0) for I don’t know:
4. Question Index I don’t know
I found the questions easy to answer
I found the questions difficult to answer
I found the questions neither easy nor difficult to answer
Please re-order the following statement according to your preference, which one you found the most correct(1) to which you found the least correct (3) and zero (0) for I don’t know:
5. Question Index I don’t know
I think it is difficult to remember the correct number of friends added last week
I think it is difficult to remember the correct number of status updates done last week
I think it is difficult to remember the correct number of pictures added last week
Please re-order the following statement according to your preference, which one you found the most correct (1) to which you found the least correct (3) and zero (0) for I don’t know:
6. Question Index I don’t know
It took me less than one minute to answer the challenge questions
It took me more than one minute to answer the challenge questions
It took me more than five minutes to answer the challenge questions
Please re-order the following statement according to your preference, which one you found the most correct answer (1) to which you found the least correct answer (3) and zero (0) for I don’t know:
7. Question Index I don’t know
I was not able to register
I was able to register but not authenticated
I was able to register and authenticated
Please re-order the following methods of authentication according to which you found the easiest (1) to which you found the most difficult(3) and zero (0) for I don’t know:
8. Question Index I don’t know
knowledge based authentication system
Traditional text based passwords
Bank card and PIN at an ATM machine
Please re-order the following methods of authentication according to your preference, which one you found more preferable (1) to which you found the less preferable (2) to use and zero (0) for I don’t know:
.
9a. Question Index I don’t know
New KBA system
Traditional text based passwords
Please re-order the following methods of authentication according to your preference, which one you found more preferable (1) to which you found the less preferable (2) in terms of security/trust for other applications such as Banking system:
9b. Question Index I don’t know
New KBA system
Traditional text based passwords
Comment:
PROJECT SUMMARY
Problem Statement
The shortcomings of alternative authentication systems are very well established. passwords and tokens have been reviewed to be vulnerable to identity theft, guessing and man-in- the- middle attacks while biometrics are also expensive and requires dedicated tools or devices. An alternative that has seen extensive applications in commerce, financial services and government is the Knowledge based authentication. Although there is a reluctance in adopting KBA for some applications as a result of its own limitations, the KBA is still appealing since it offers several advantages over other authentication methods such as password and biometrics. Firstly, there is no prior relationship needed to be established by a claimant with a verifier Chen, Ye Liginlal,& Divakaran (2007) . The information( factoids) are selected from different public records or proprietary sources, where knowledge about legitimate users usually has been acquired from previous transactions, for example, insurance quote, mortgage payments and conference registration. This not only promotes centralization and federation, but also helps to shift the responsibility of maintaining the databases from verifiers to knowledge sources. Secondly, KBA systems are less expensive to implement and maintain, especially in cases involving infrequent transactions such as those between the consumer and government (Howard, S. 2004). Finally, since KBA authenticates claimants based on prior knowledge, which enhances user’s convenience. For instance, recalling the name of the high school one attended takes less effort than remembering an eight-digit password. This helps to avoid the limitations inherent in password-based authentication such as writing down passwords in other words “password hell” Sasse, M. A., Brostoff, S. and Weirich, D.(2001).
In spite the advantages of KBA, a number of challenges still prevail in successful implementation of KBA. Some of the problems identified in recent research findings include a Lack of theoretical foundation and systematic metrics and the absence of consistent implementation guidelines. (Chokhani 2004)
Another important and fundamental problem has arisen as a result of the looming dearth of KBA data sources. Traditional KBA systems used public records or proprietary data sources where knowledge about legitimate users has been acquired from previous transactions. However sources of public records are shrinking. Several governments (Canada , some U.S states and some European countries) have banned the use of public records for commercial or private use . Such legislations now limit the sources of data for true dynamic knowledge based authentication implementations (Hastings, N.E. & Dodson, D.F. 2004).
More importantly, problem has arisen as a result of the ever growing popularity of social networking sites and the ease people share personal data or make it available online blurs the line between information that is really private and public. Automatically using online information has overwhelmed majority of today’s college students and recent college graduates have also maintained an account at some social networking site, such as Facebook,
MySpace, or
LiveJournal. These sites allow users to expose structured information about themselves, such as their educational background, age, birthday, and friends, via their personal profiles. This information can immensely help attackers seeking to falsely authenticate (Rabkin, 2008). The dynamic nature of the interaction on the social networking sites also means that some form of dynamic data is spontaneously disclosed and may be used by "friends" to defraud a KBA authentication system.
This project set out to study the effect of these changing demands on dynamic knowledge based authentication and evaluate it strengths and flaws using a prototype system that uses one of the most popular social networking sites, Facebook as the data source.
Aims And Objectives
A dynamic knowledge based authentication system that uses questions and answers for verification of identity from a public record in real time has been shown to raise a more desirable performance and reliability.
This feasibility study aims to examine and evaluate the strengths and flaws of KBA in a ubiquitous web age with regards to the security and usability of this authentication method. Also, to produce solution that gradually replaces the current dependency on passwords using questions and answers as the basis of authentication.
To achieve the aim, several objectives have been identified and will be followed closely so as to meet the set target.
• Study existing research developments and direction relevant to the successful completion of the project;
• Identify and design a dynamic knowledge based authentication system that uses dynamic questions and answers
• Implement an experimental authentication system that uses questions to verify identity. that is a dynamic KBA system that seeks to authenticate a user via a third party system, basically the popular social networking site, Facebook in real time. Also to implement a connection to a database holding participants Facebook records, together with the creation an initial database that may be used for future works;
• Test the new KBA experimental system by conducting surveys with real users i.e. recruit and administer survey on at least 50 participants that are computer literate and have exposure to different authentication schemes.;
• Investigate dynamic KBA by analysing it's strengths and weaknesses using the experimental results based on user perception and experience during the experiment;
• Identify and measure relevant performance metrics of the new authentication system by using an attack model to estimate the success rate and failure rate such as level of confidence and quality of the KBA results of the new dynamic KBA system implemented;
• Test the feasibility of the new Dynamic KBA system by comparing it with the traditional text based passwords using the experimental results;
Overview
This research work begins by reviewing related work and concepts in user authentication, especially Knowledge Based Authentication in chapter 2, followed by the design and general overview of the new Dynamic KBA system in chapter 3. Chapter 4 presents the methodology adopted to explore the new authentication method and the adversarial models for attack while chapter 5 evaluates the results of the experiments and survey. it also analyzes the usability and security issues relating to the authentication method from experimental results.
HYPOTHESES
To commence the project methodology, a basic hypotheses is proposed on several aspects of the experiments and user survey. These hypotheses represent the informed assumptions on the expected outcome of the results. The overall expectations centre on 2 broad areas of the usability and security of the authentication method.
USABILITY: This aims not only at evaluating the usability of the new KBA system but also at the challenge response questions. Usability testing of authentication solutions is relatively recent while there has been very little study into the usability of challenge question systems, especially with environments closely related to those found in practice today. This work will build upon the following criteria identified by Just (2004) for the usability of challenge questions which have reflected the testing of earlier studies they are:
• Applicability - The question should be applicable, or relevant, to users. For example, the question “What was the name of your first pet?” would not be applicable to those users that have never owned a pet. This criterion would only apply to administratively-generated questions (and not user-generated questions).
• Memorability - The answer to the question must be easy to recall. Since the purpose of challenge questions are to aid in the recall of already known information, a key criterion is that the answers to the questions are memorable by (at least a significant portion of) users.
• Repeatability – this is a subset of memorability, the answer to a question needs to be repeatable. This typically refers to two such aspects. First, the syntax of the answer should be repeatable over time. Secondly, the original answer to a question is required. For example, in response to the question, “Who is my favourite actor?”, the user is not being asked to provide their current favourite, but rather their favourite when they first registered the question and such preferences can change over time,
Authentication Experiment I
The authentication is done by contacting the third party system (that is the social networking site, Facebook) and comparing the answers provided by the user in real time. If the user is able to answer a minimum of three out of the four questions correctly, the user is granted access, otherwise access denied. In addition, considering the level of the KBA system’s tolerance, each question carries different percentage which are as follows:
• how many friends do you have on facebook?- 10%
• how many status updates have done in the last one week? – 30%
• how many pictures have you added in the last one week?.- 30%
• how many videos have you posted in the last one week?- 30%
A week starting from Monday and ending on Sunday. Answering all the four questions signifies 100% authentication while the minimum acceptance threshold rate is 70%.
However, users are expected to answer questions 2,3,and 4 correctly simply because these questions are considered as active activities carried out by users and could be easily remembered compared with the question 1 that asked for the total number of friends. It takes someone with high memorability to be able to remember such question.
Participants: The new dynamic KBA was designed and built mainly for active internet users, specifically for facebook users. The participants can be divided into two subgroups which are: university students who regularly use authentication method and in possession of a Facebook account and active internet users who visit the social networking site on a regular basis.
Our study design was similar to that of Everitt et al.(2009) where participants were sent emails when it was desired they should perform a login. For our purposes, this approach had the potential to be more effective since all participants read emails, this gave the opportunity to control the frequency of logins to the system.
100 participant were targeted but inevitable factors like Email bounce back and response rate could not be ruled out. Eventually, sixty one volunteers (36 male, 25 female aged between 21 and 43) participated in the experiment. The experimental system/survey link was distributed via Email and internet survey using Surveypirate software. Initially, a pre notification letter was sent to all the participants followed by a survey Email that contains the link to the experiment.
Participants were provided with basic information about KBA and the experiment as a whole, with the aim of accustoming users to the concept of dynamic KBA that authenticates users from a public record in real time, especially when they have to provide their personal information such as username and password in order to allow the Facebook application during login session. Although, participants were familiar with other authentication methods like passwords, tokens and biometrics and have sufficient knowledge of computer and internet usage. Also, participants did not have any known pathological memory deficit
Authentication Experiment : Attack Models
In an attempt to evaluate the security strength of the KBA system, two attack models; naïve attack and Strategic attack, were adopted and separate experiments implemented for each.
Experiment II: Naïve Attack
A naïve attack in this project is regarded as a weak attack attempt carried out by an attacker with limited information on a subjects authentication credentials. a naïve attacker can only make random guesses or resort to shoulder surfing but is not expected to have access to a users credential database nor possess sophisticated algorithms to mine user authentication data from database. These kinds of attacks have been referred to by Sasse, Brostoff, & Weirich(2001) as LUNCH TIME attack where attackers are mostly people who are known to the user like friends or work colleagues. due to the social pressures that can prevent users from practicing security conscious behavior in the presence of colleagues or friends or even inadvertently sharing that information through their trail of activity on social networking media.
To study the naïve attack, two participants who are known as friends and are also connected as friends on Facebook are paired and asked to attempt a login into the DKBA accounts of their partner. The participants are made aware of the required fields for login into the KBA system because only one attempt is allowed per attack as the KBA system reveals the correct answers after every attempt. using one attempt may appear counterintuitive due to the popularity of the three attempts "three strikes and you’re out" password policy but most lunchtime attacks are done hurriedly and upon failure most naive attackers would not attempt immediately for fear of a lock out or of being caught. In addition since 4 questions are used in the authentication process, the major interest is the percentage of correct guesses per attempt by the naïve attacker. The attack process is repeated over a 4 weeks period.
To conduct the attack, the participants initially log in to Facebook to provide a connection to their reference database as described in the main experiment. The attacking partner then attempts a login to the KBA system. If an attackers scores reaches or exceeds the 70% threshold, (answering any 3 questions correctly) the attack is said to be successful. the success rate of logins is recorded. A total of 20 naïve attacks were studied.
Experiment III: Strategic Attack
In this experiment , strategic attack is carried out on the login account of a legitimate user using more advanced information source than the naïve attack. In this experiment, the attacker is allowed to browse the user's information on Facebook and related social networking media that may be helpful in exploiting the victims login information. due to the dynamism of the authentication credentials, the attacker is also encouraged to keep abreast of a users changing profile with the intention of subsequent attack. However due to the limited time frame for this experiment,, no specialized data mining algorithms were designed to crawl user information from the web.
the strategic attacker focuses on one user over a period of four weeks and an attack is attempted once a week in the presence of the project owner. Five (5) dedicated strategic attackers were recruited over the period of 4 weeks to attack identified users. this approach is similar to Kim et al. (2010)
The result of experiment 1 over 6 weeks period
All 4 questions correct = 56(15.30%) users through 6 weeks
All 3 questions correct = 202 (55.20%) users through 6 weeks
All 2 questions correct = 75(20.50%) users through 6 weeks
All 1 questions correct = 24 (6.50%) users through 6 weeks
All 0 questions correct = 9(2.50%) users through 6 weeks
The result of experiment 2 over a period of 4 weeks
5/23 Naïve 23 attack attempts in total 17.40%
All 4 questions correct = 0 (00.00%) users through 4 weeks
All 3 questions correct = 4 (17.40 %) users through 4 weeks
All 2 questions correct = 5 (21.70%) users through 4 weeks
The result of experiment 3 over a period of 4 weeks
Strategic 5 attempts in total for each week. 60%
All 4 questions correct = 3(15.00%) users through 4 weeks
All 3 questions correct = 8 (45.00 %) users through 4weeks
All 2 questions correct = 9 (40.00%) users through 4 weeks
All 1 questions correct = 0 (0.00%) users through 4 weeks
All 0 questions correct = 0 (0.00%) users through 4 weeks
CONCLUSION AND RECOMMENDATIONS
Project Review
This chapter reviews the overall project, draws conclusion from the results and analysis obtained from the experiments. It also outlined suggestions for future work. The goal of this research work was to examine and evaluate the strengths and flaws of dynamic KBA system that uses questions and answers. Also, the project objectives were met as discussed below.A dynamic KBA experimental system was designed and implemented by integrating it with the popular social networking site, Facebook as it’s proprietary data source. A system that authenticates users in real time via a third party system which was further tested with real users. Three experiments were conducted to test the feasibility of KBA based on the following metrics yardsticks which are: usability; memorability; effectiveness; efficiency and security strength.
Experiment 1 aimed at the overall usability of the proposed authentication system and comparing the authentication method with the popular text based traditional passwords by surveying users perception and experience. At the end of experiment 1, 72 participants completed the authentication phase. Only 61 participants completed both the authentication and the survey phases. The result of experiment 1 indicates success as the success rate exceeded the preset threshold of 70% with an acceptable error rate of 30%. This result shows that it may be feasible to authenticate users in real time using public record. It was also found out that participants preferred less questions. Although many commercial recovery systems rely on only one question, as argued in the previous research. Therefore, this mindset validated the decision to use four questions during authentication. Also, users preferred answers with digits/numbers or answers that reminds them of recent activities. This actually ascertain the strength of DKBA in terms of memorability and raise the hope of Dynamic KBA. Since a user is actively involved in the activity, it might be easier to remember and because the answers to the questions are not fixed. These findings demonstrate that while KBA cognitive passwords are easy for users to recall, they are difficult for others to guess.
Another objective was to test the performance metrics of the authentication system. This was achieved using the following attack models, they are the naïve attack and the strategic attack models. Experiment 2 and 3 reviewed the performance metrics of the new system using the aforementioned attack models. Naïve attack has the success rate of 0.17 while the strategic attack has a discouraging success rate of 0.6 which can be recorded as a flaw on the side of KBA. This is due to the availability of personal information and users are willing to share. Also, search technology today is rapidly increasing and can be unpredictable. As a result of these, the prospects for KBA (question based authentication) today appears dim. However the results suggest that KBA as a standalone system is not a very strong technique ( despite the dynamic KBA used) but can be used as a multifactor authentication system (MFA) that is when used with other authentication techniques such as biometrics, and even username and passwords.
Overall the project can be considered a success due to the fact that all objectives were achieved. consequently, there were loop holes on the side of KBA. The database log showed that it takes a user an average of approximately two minutes to complete both the setup and the authentication phase. Although, much shorter than the time reported by Bellflower, (2010). Some concerns have arisen in the use of cognitive passwords as the use of the system takes longer than using a traditional single password method. That is, the time needed for a user to enter his or her user-ID and a single, not less than six-character password ranges from 5 to 7 seconds. But with the cognitive passwords mechanism, more data must be keyed into the system which led to more comparisons made. This raises the entry time to around one and half minutes. Where most of the time was used to key in a series of four requested answers. Nevertheless, the memorablity, usability, acceptability of the proposed authentication system may outweigh these concerns.
This project has been challenging and at the same time rewarding. Various technical skills and knowledge have been acquired. The major challenge in the implementation of this project is the choice of challenge response questions whose answers are dynamical, which is can be considered the backbone of the whole research work. Another challenge was time constraint, more time is really needed to fully ascertain the feasibility of this authentication technique as observed from previous studies. Also, coordinating and monitoring participants and having to be present during every attack session over a period of six weeks was very tasking.
6.1 FUTURE WORK
Due to time constraint, the following are recommended for future work. Firstly, choice of challenge response questions should be selected at random, the ordering of choice of questions for each session of authentication and usage of multiple form of the same questions so as to prevent script and manual threats.
Although naïve and strategic attack models were used in this project to ascertain the security strength of the proposed system. Analysis of data can therefore be improved by conducting a follow up research on other attack models that make use of sophisticated algorithms to attack the KBA system. This may also suggest possible modification to the design of the proposed dynamic KBA that will make it stronger with the ability to stand harder attacks.
Conclusion
This project has described a novel technique which enables users to authenticate into a system using a dynamic authentication method in real time. The proposed system was built taking into consideration issues that relates to KBA metrics such as guessability, memorability, perceived security and striking the balance between security and memorability.
Empirical study and theoretical study have reviewed that participants were able to authenticate over a period of six weeks using the dynamic KBA system with a successful authentication rate of 70% and a low error rate of 30%. The high acceptability rate over the traditional passwords as reviewed by the survey result indicates a better chance for dynamic KBA as a replacement over static KBA and passwords.
However, high error rate in experiment 3(strategic attack model) signifies that the potentiality of KBA appears gloomy due to the public availability of personal factoids through social networking sites and the increase in the speed and sophistication of search technologies such as the new Google instant search.
Overall, the outcome of both the empirical and the theoretical study suggests that dynamic KBA may not be strong as a standalone system but may be effective and can supersedes the traditional passwords if deployed as a multi- factor authentication (MFA) method. This study further provides an insight into the design of the new authentication system and established a foundation for empirical and theoretical future follow up in the area of KBA
File manager
