Knowledge based authentication requirements

Published evaluation criteria for knowledge based authentication (KBA) methods do not provide a sufficiently formed framework to use as a guideline during design and testing of KBA methods and tools. The aim of this paper is to define a set of requirements for creating a secure user authentication method based on the user´s knowledge. The requirements address four issues in user authentication. The first refers to eavesdropping an authentication session and using the intercepted information in the next session. By repeating the recorded response an attacker should not be able to authenticate himself as a legitimate user. The second issue is the ability to predict an authentication challenge by analyzing previous challenges. If an attacker can record a set of challenges over a long period, he should not be able to learn the next challenge beforehand. The third issue is the guessability of correct responses to authentication challenges. In general, multiple sources of information about the user are available to an attacker. The correct response to a challenge should not be obvious from such sources. The fourth issue is the authentication server´s vulnerability. By this any information system component that is used to authenticate users is meant. If an attacker manages to gain partial or complete access to the authentication server and its data, the user´s digital identity should not be compromised. These for requirements are proposed as a generic checklist against which KBA methods and tools should be checked.