Navigating Obsolescence: The Key Pain Points of Legacy Authentication in Business

Knowledge-based authentication

As the name suggests, knowledge-based authentication uses things that only the relevant authorized person should know to control access to an account or service (passwords are technically a form of KBA).

Static KBA

This involves a previously agreed set of shared secrets, usually in the form of questions and answers such as “what was the name of your first pet”.

Dynamic KBA

This is based on questions from a wider base of personal or privileged information and does not require the individual to have provided answers beforehand. Questions can be created from a range of publicly available data such as credit records and personal information available online, so don’t need to be based on an existing relationship with the customer.

Unfortunately, knowledge-based authentication is fatally flawed, being both easy to overcome for fraudsters and a cause of friction for legitimate users. In fact, Forbes announced the death of knowledge-based authentication as long ago as 2018, pointing out that a Google study found less than half of users could remember what they’d put down as their favorite food a year earlier. Meanwhile, hackers could guess the correct answer to the same question almost 20% of the time (pizza, anyone?). 

While dynamic KBA may be slightly more secure than static KBA, its reliance on information that fraudsters can access with relative ease still makes it highly vulnerable. What’s more, the broader nature of the potential questions creates even more friction and frustration for users.

Two-factor authentication

Two-factor authentication is an electronic authentication method which requires a user to present two different pieces of evidence before being allowed access. Evidence requested should be of two different types from a possible three: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). Sometimes a third-party authenticator (TPA) is used, which is an app that randomly generates a one-time passcode to use as the secondary piece of information. Other systems send a passcode via an SMS text message.

Two-factor authentication aims to be more secure than knowledge-based authentication, since it prevents an unauthorized user from simply stealing or guessing a password or piece of personal information. Unfortunately, it’s also highly vulnerable to bad actors. 

This is due to something we call the collapsed user experience. Two-factor authentication is designed to create separation between the activity, such as buying an item in a webstore or accessing your bank account, and the secondary factor used for authentication. But now that we do so many of these things on our cell phones, the secondary factor is often supplied from the same device we’re using for the primary activity. As a result, if the device has been hacked or compromised, a fraudster has control over both elements.

A more sophisticated solution

If your business is still using legacy authentication, your security measures are probably less sophisticated than the methods being used by fraudsters to try to access your clients’ accounts. As a business, you should assume bad actors know the limits of your approach to security and work with that as your baseline. 

An effective fraud prevention strategy should layer multiple solutions and be built around a constantly evolving approach. For example, biometric authentication means it doesn't matter if a fraudster can intercept a one-time password provided to a customer – they can’t access the person’s face and present it live on camera as part of a verification session. 

Other features, such as liveness detection and real-time user feedback, can promote increased safety without slowing down the process and causing friction in the user experience. Meanwhile, the application of machine learning to the reams of data collected in authentication sessions can constantly fine-tune your approach. Together these solutions can minimize the ROI for fraudsters and drive them to seek easier prey – potentially your competitors who are still using legacy authentication!