Knowledge Based Verification - Complexity, v3.0
The requirements for sufficient complexity when performing Knowledge Based Verification.
Assessment Steps (10)
1
Entropy (Entropy)
Does the KBV process ensure the information transacted as sufficient entropy? Simply put calculate the odds of random answers passing the test and make sure the chances of this happening is less than 1 in 1 million.
Artifact
Documentation
Provide policies, practices, or existing security audit reports indicating conformance.
|
2
Questions (Questions)
Does the KBV process prsent a minimum of four questions?
Artifact
Documentation
Provide policies, practices, or existing security audit reports indicating conformance.
|
3
Multiple Choice (MultipleChoice)
Do all multiple choice questions have a minimum of four answers? If only free form questions and answers are used, this would be passed. Free form questions and answers are preferred, and if not obvious, the minimum question count if all are multiple choice would not achieve the entropy requirement.
Artifact
Documentation
Provide policies, practices, or existing security audit reports indicating conformance.
|
4
Max Attempts (MaxAttempts)
Does the KBV process restrict the number of attempts to pass?
Artifact
Documentation
Provide policies, practices, or existing security audit reports indicating conformance.
|
5
Timeout (Timeout)
Does the KBV process terminate if a response is not provided within 2 minutes? (this is critical so that an attacker does not have time to try and research answers)
Artifact
Documentation
Provide policies, practices, or existing security audit reports indicating conformance.
|
6
Restart (Restart)
Does the KBV process require a complete restart if terminated prematurely?
Artifact
Documentation
Provide policies, practices, or existing security audit reports indicating conformance.
|
7
Minimize Diversionary (MinimizeDiversionary)
Does the KBV adequately avoid diversionary questions (questions with answers such as 'none of the above' or 'all of the above' answers).
Artifact
Documentation
Provide policies, practices, or existing security audit reports indicating conformance.
|
8
No inference (Noinference)
Does the KBV avoid revealing information in some questions that would allow inferring answers to other questions?
Artifact
Documentation
Provide policies, practices, or existing security audit reports indicating conformance.
|
9
No Doxing (NoDoxing)
Does the KBV avoid revealing PII about the applicant (not already revealed via the application process) so as to not reveal the identity of the applicant? (this is important so the KBV process itself coudl not be used by an adversary to dox someone)
Artifact
Documentation
Provide policies, practices, or existing security audit reports indicating conformance.
|
10
Dynamic (Dynamic)
Does the KBV avoid questions that have static/permanent answers? (What was your first address? Instead of What was your address when...?)
Artifact
Documentation
Provide policies, practices, or existing security audit reports indicating conformance.
|
Conformance Criteria (11)
Entropy
KBQ/KBA SHALL be composed so as to ensure that the information transacted has at least 20 bits of entropy;
Citation
SP800-63A
Section 5.3.2 P5
|
No Doxing
ensure that any KBV question does not reveal PII that the applicant has not already provided, nor personal information that, when combined with other information in a KBV session, could result in unique identification.
Citation
SP800-63A
Section 5.3.2 P5
|
Dynamic
KBQ/KBA SHALL be composed] dynamically and NOT use KBQ for which the answer is in any way static.
Citation
SP800-63A
Section 5.3.2 P5
|
Questions
a minimum of four KBQ SHALL be presented and each question SHALL
Citation
SP800-63A
Section 5.3.2 P5
|
Multiple Choice
have a minimum of four possible answers of which only one SHALL be correct; OR
Citation
SP800-63A
Section 5.3.2 P5
|
Free Form
prefer responses which are not based on a selection from a pre-determined list, ie. free form responses.
Citation
SP800-63A
Section 5.3.2 P5
|
Max Attempts
a maximum of three attemps to answer each question SHALL be permitted;
Citation
SP800-63A
Section 5.3.2 P5
|
Timeout
the KBV session SHALL terminate if no attempt has been made to submit a response to a question within 2 minutes;
Citation
SP800-63A
Section 5.3.2 P5
|
Restart
termination of a session SHALL require a complete re-start of the KBV process;
Citation
SP800-63A
Section 5.3.2 P5
|
Minimize Diversionary
the presence of 'diversionary' questions in the set of possible responses SHALL be minimised;
Citation
SP800-63A
Section 5.3.2 P5
|
No inference
no question SHALL provide the Applicant the opportunity to infer answers to any other KBQs in any subsequent session;
Citation
SP800-63A
Section 5.3.2 P5
|