1. The answer cannot be easily guessed or researched [Safe]
2. The answer doesn’t change over time [Stable]
3. The answer is memorable [Recall-ability]
4. The answer is definitive or simple [Simplicity]

Good criteria to remember next time you are deciding between “What is your pet’s name?” and “What was the name of your first stuffed animal?”.

Of course, the service you are interacting with needs to allow you to choose from a large enough set or supply your own questions so you can adhere to this principle. And a highly sensitive application should go beyond just plain security questions. While most services are moving towards simpler yet more secure mechanisms – emailing the user short-lived password reset tokens, for instance – there are many cases where you still need a challenge-based mechanism (like when the forgotten password is the one used to access your email).

Knowledge-Based Authentication has gotten increasingly sophisticated over the last few years, and enterprises looking to leverage this can do better than just providing their users a few hard-coded questions to choose from. Oracle Adaptive Access Manager 11g brings features like Answer Logic (which employs fuzzy logic to increase the usability of security questions) and One-Time Passwords (delivered via SMS, email, IM or voice) into the mix, while also adding real-time risk analytics to make the overall process more secure, reliable, usable and cost-effective.

And all of this is delivered as a service so that enterprises can incorporate KBA into their various applications as needed. In fact, as part of the suite-wide integration design theme of Oracle Identity Management 11g, OAAM now has out-of-the-box integrations with Oracle Identity Manager and Oracle Access Manager. So if you deploy the suite, the real-time risk analytics and risk-based challenge mechanisms of OAAM are automatically leveraged by those other products. It is a sweet thing to behold.

Even as we sound out the call to kill passwords (an NPT for passwords; I like that), KBA will continue to be a critical tool in the identity proofing arena. So keep an eye out for all the innovation that will take place in this field.

Tags: Identity Proofing, Knowledge-Based Authentication, OAAM, OIM, Oracle Identity Management, Oracle Identity Management 11g, Password Management, Password Recovery Techniques, Security Questions, Service-Oriented Security

In a nutshell, here is what happened as I understand it: A hacker named Hacker Croll (who has been a pain in Twitter’s behind for a while now) was able to gain access to the Gmail accounts of various twitter employees, including founder Evan Williams. He was then able to use the regular password-recovery techniques that rely on email-based mechanisms to gain access to other services being used like Paypal, GoDaddy, Amazon and Apple. But most notably, he had access to the Google Docs service that the Twitter folks were using extensively to store sensitive corporate documents. This landed Hacker Croll a goldmine (that has been shared with TechCrunch) of documents, including “financial projections, product plans and notes from executive strategy meetings”. Twitter has a lot to deal with here. But this is an important IdM and Cloud Computing related cautionary tale for all of us. And the takeaways, while obvious, bear repeating.

This episode underscores the fact that password recovery techniques that rely on email delivery of passwords or password-reset links are highly insecure. Secret question based mechanisms (aka Static Knowledge-Based Authentication) are not that much more reliable either (anyone and everyone can find out the name of any celebrity’s first car, dog, mother’s maiden name, etc). Services that deal with sensitive information NEED to rely on Dynamic Knowledge-Based Authentication (where the data source for the authentication questions could be the content stored in the service itself, which only the users should have knowledge of) or Out-Of-Band Identity Proofing (something Oracle Adaptive Access Manager can help with).

As more and more companies rely on the cloud, the security of cloud services (or lack thereof) needs to be evaluated very carefully, as will corporate security policies on access to those services. Strong passwords need to exist not only on the service access, but also on the accounts that have access to the service. Ideally, the service provider should support Multi-Factor Authentication and federated identity and authentication for higher identity assurance by corporate clients. And encryption of sensitive documents and data is a must. Cloud service providers need to understand the implications of entering the enterprise market, and that includes deploying enterprise-grade identity management and security technology.

Unfortunately this event will sow doubts in the minds of those that are considering using cloud-based services. Which is why we have to work hard to define the standards cloud services need to live up to. As Michael Arrington so bluntly put it:

It’s not our fault that Google has a ridiculously easy way to get access to accounts via their password recovery question. It’s not our fault that Twitter stored all of these documents and sensitive information in the cloud and had easy-to-guess passwords and recovery questions.

That is quite plainly an unacceptable state of affairs.

Tags: Cloud Computing, OAAM, Oracle_IDM, Password Management, Password Recovery Techniques