Knowledge Based Authentication

The research will use the history of contact between students and the university as the basis for authentication questions.

The shared context provides a wide variety of questions about such topics as enrolment year, degree course, tuition payments and parking permits for cars or bicycles. Authentication questions based on these topics would be convenient, more secure and less predictable than static passwords. This method of authentication has been commercially used by the consumer credit industry for more than 10 years. Currently, knowledge-based authentication software is typically bundled with the reference consumer credit data provided by the vendor. As such, there is a lack of affordable and robust solutions. The research will investigate the following issues required to design and implement a strong knowledge-based authentication software package:

Selection of configurable authentication parameters including number of attempts, number of attempts within period, number of questions and threshold success level.
Strategy to fine-tune tolerance range for authentication answers.
Algorithm to randomise order and selection of questions.
Strategy for selecting suitable static and dynamic user data that has sufficient coverage of target user population.
Identify and cope with potential problems due to language comprehension.
Strategy for coping with rate of change in user population and corresponding user data (especially students).
Designs that minimise time to generate questions.
Metrics to measure confidence level and quality of authentication results.
Metrics to measure system performance.
Designs to detect and defend against known attack methods such as automated bots, store-n-replay and denial of service.
Methods to protect personal information at both server and remote computers.
Strategy for managing privacy and discrimination issues.

Knowledge-based authentication could be useful to other organisations that have sufficient contact with their user population to develop a suitable set of authentication questions.