Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

The Death of KBA; Secret life questions fluster Obamacare applicants

by Avivah Litan  |  October 23, 2013  |  2 Comments

Just as we predicted (actually it didn’t take a rocket scientist to predict this), KBA (knowledge based authentication or secret questions based on life history to validate an identity) has been a flop on the Obamacare exchange websites, adding insult to injury. The topic even made it’s way to the human interest story on the front page of today’s Wall Street Journal, which documented how Americans needing health care insurance couldn’t satisfactorily answer the secret life history questions needed to pass the electronic application process. After all, who can remember the color of your first bicycle when you can’t even remember what you did two weeks ago, recounts an interviewee in the article.

KBA is on life support. It was already ineffective and now everyone knows its been compromised systematically by some of the most organized criminal gangs around. (See blogs.gartner.com and krebsonsecurity.com and krebsonsecurity.com )

Experian, LexusNexis, Kroll and Dunn and Bradstreet and other breached data brokers must be furiously trying to dig themselves out this hole. Frankly, I feel for them because securing the food chain of clients that have access to this sensitive data is a very tall task. And securing the systems against advanced threats is an equally tall task.

But at a minimum, they may want to stop selling identity theft protection services to consumers. It seems to be a conflict of interest, don’t you think?

As for the government and the healthcare exchanges, all they had to do was ask around and they could have easily avoided this latest disaster.


Category: Uncategorized     Tags:

2 responses so far ↓

  • 1 Anil John   October 24, 2013 at 11:42 am

    Fully agree that the use of KBA for identity proofing and the compromises at the data brokers are a bad thing, and that it affects many online interactions that require higher assurances of identity.

    At least in the U.S., an alternative in the long term may very well be using Government Agencies (whether at the Federal or State/Tribal level) who are tasked with identity establishment (i.e. already manage vital records) as authoritative sources. But there are significant policy, politics and process barriers around that, so that is not a near term option.

    In order to not classify this under the TBU (True But Useless) category, I am interested in understanding what you would propose as an alternative to KBA for remote identity proofing particularly at LOA 2 and LOA 3.

  • 2 Avivah Litan   October 24, 2013 at 10:38 pm

    Hi, I have a research note on that that defines Four Layers of Identity proofing. Are you a Gartner client? I can send you the note. There are many different measures that can be employed to gain assurance.

    Also in terms of KBA, not all KBA information has been compromised. For example, questions based on internal customer/account information (if it exists) are more effective and successful and presumably still confidential.

    Thanks for the feedback