Enhanced knowledge based authentication using iterative session parameters

Current Knowledge Based Authentication (KBA) schemes have been subjected to increasing criticism of late due to the realization that many of the secret questions being used are easily compromised. That is, normally a user’s secret questions are based on personal details and personally related facts (which we term personal factoids). Often these facts are easily deduced by other entities that are able to gather information about the target user in question. Therefore, our research has been focused on enhancing the KBA process by using factoids not based on personal details. This paper provides the details of a novel scheme we have designed and tested that uses past session parameters in an iterative fashion as the basis for future KBA questions. To date the scheme has proved effective when used in conjunction with an initial registration process that verifies a user’s trusted email address and mobile/cell phone number.