A Look at Verid's Knowledge Based Authentication
Verid recently announced a deal with RSA Security to incorporate Verid's KBA (Knowledge Based Authentication) solution into RSA's "adaptive authentication" product suite. Glenbrook's Carol Coye Benson spoke yesterday with Kevin Watson, Chairman & CEO of Verid, to learn more about KBA and the company.
The term KBA is used for a variety of authentication practices, all of which use some form of challenge-response to determine if the person being authenticated can correctly answer one or more questions: the questions can be based on shared secrets (mother's maiden name, etc.) or data from internal or external sources.
KBA has had a somewhat rocky road, as early, shared-secret versions have run into problems from consumer memory lapses to compromised secrets, and questions drawing on external and internal databases have at times triggered consumer confusion, concern, or even outrage ("hey, how did you know that?").
Despite these problems, KBA has considerable advantages over other forms of authentication. KBA puts relatively low demands on consumers and anecdotal evidence supports a growing belief that consumers like it - and feel that it increases their transaction security.
Verid's claim is that they have "kicked it up a notch" by avoiding shared secrets entirely and instead drawing on a wide array of external data sources - some relatively easily available, and others which require stringent purpose qualifications. Then, Verid adds a layer of intelligence - ensuring that the question or questions posed to the consumer are appropriate to the transaction and the transaction risk. Moreover, Verid avoids the use of financial history or other sensitive (e.g. healthcare!) questions. A sample question might be: "what color was the Toyota you drove in 2002?".
Our take? This seems uniquely suited to use by the "authentication engine" that banks - and online merchants - are beginning to put in place. Everyone seems to recognize that there is no authentication silver bullet, and that different consumers and different transactions will require different practices.
Dropping in a transaction-appropriate challenge response when a risk filter is triggered will be relatively straightforward to do, and we suspect that for many transactions it will be very effective. Also, this solution has the advantage of being usable on either online or telephone channels - which meets an emerging requirement on the part of many banks.
The challenge for Verid - and for RSA - will be to get the pricing right. Too high a fee will limit its application to occasional transactions, and pave the way for the use of other authentication solutions. Too low a fee - well, we're not worried about that!
Add your comment... (note that all comments are reviewed before they're published)