Knowledge based Authentication Techniques and Challenges

Knowledge-based Authentication (KBA) is an authentication approach, which verifying the user identity when accessing services such as finical websites. KBA requests specific information to prove personal identity of the owner. This paper discusses the challenges that are faced by KBA techniques. Memorability is the main obstacle in KBA since the users trying to utilize simple passwords or unify the passwords in various services, a step that cause problems and issues with compliance with security policies. Furthermore, the technique of mixing username/password is considered as another important challenge of KBA due to the recall-based authentication. This discussion includes a comparative analysis of KBA’s techniques based on trade-off criteria to support making of decision. This study’s results can support organizations in the recommendations process of a suitable KBA technique for organizations. Keywords—Knowledge-based authentication; artifact-based authentication; biometric-based authentication; usability; vulnerabilities; memorability; performance; cost


I. INTRODUCTION
Authorization [1,2] is the process of ensuring only authorized rights are exercised in the process of determining rights. Authentication is verifying the person's identity, such as (a user, or device) who intends to access data, resources, or applications. Confirming the identity of an entity proves a confidence relationship for interactions. Authentication [3] also allows accountability based on the possibility of mapping the access link and concurrent actions to identities. The techniques of authentication are classified into three essential categories which are token-based authentication, biometric based authentication [4] and knowledge-based authentication system [5]. Fig. 1 illustrates the types of user authentication types [6] but that differs in the focusing idea based on in each type.
Previous researches discuss the different identification and authentication techniques and their different key terms which include protect credentials, identity, password, biometrics, and others [6]. Any system requires to identify its users and authenticate them accordingly depending on the system's target and the target population. User authentication is of three types: knowledge-based, artifact-based, and biometric-based. Any system that relies on the secret user identity information such as text or image passwords that the user provided in the registrations process or when creating passwords is said to be dependent on knowledge-based authentication for its users authentication [7]. Any system that relies on authentication signature or smart issues is said to be dependent on artifactbased authentication for user authentication. Furthermore, any system that relies on the physical characteristics of the user such as fingerprints in the authentication process is considered to depend on biometric based authentication for authentication of its users.
This research targets studying KBA, and specifically emphasizing on security and usability challenges [8]. KBA is an authentication approach that searching the evidence to define of accessing a service. This study discusses different types of KBA and the requirements for each type of KBA. Authentication is necessary in this era of big data revolution on the internet that has affected the mode of human communication and the quality of services provided which all depends on sharing the information. KBA is a popular technique that is used by the largest population of IT systems users but it faces several challenges in this technique.
KBA is known for its simplicity, ease of revocation and legacy deployment that consists of textual and graphical password. Previous studies [9,10] unearth several attacks that enabled attackers stealing user's identity and confidential information. KBA is defined by an authentication approach that looking for the evidence to define of accessing a service. Static KBA and Dynamic KBA are the main two types [11,12] of KBA. Fig. 2 discusses these types [11] which figure includes the main feathurs and examples for each type. Static KBA refers to a pre-agreed set of shared secrets like passwords [13]. Dynamic KBA refers to questions generated from a wider based of personal information like registration or verification questions.
In Addition, the static KBA refers to the process that enable users to choose security questions and provide answers that are stored by an organization to be accessed later. Moreover, the dynamic KBA refers to go a step that generate questions that applies only to the intended end user and do not require a previous relationship with the customer. The most used technique for authentication is username and password which is classified into one of the knowledge-based techniques [14]. The essential cause of utilizing password as a popular technique is that it does not require any special target hardware to observe in and out operations on protected areas in the systems [15]. According to the literature, KBA was identified as the approach used to combine some challenges (i.e. questions) to verify claimed users where the answers of these challenges came from their knowledge [16].
This study discuses the definition, importance, types, techniques, and challenges of KBA. Also, it explores KBA techniques which are usability, memorability, performance and cost and any combination of the stated KBA techniques. This paper includes a comprehensive review in term of comparative analysis which will be taken into consideration to provide tradeoffs criteria to help decision makers in their organization so that they can be able to select the most suitable KBA technique. This study mentions recent research trends in this domain.
This paper is organized as the following: Section 2, examining the related works of knowledge-based authentication and its security issues, Section 3, Discussion, Section 4, presents open research challenges of knowledge-based authentication. Finally, Section 5 discusses the conclusion and future works.

II. RELATED WORKS
The main goal [17] of a user authentication mechanism is offer security to information systems. Attackers are using several strategies to attack authentication systems that are in use in different systems. Therefore, schemes must be measured with respect to vulnerabilities and susceptibility to various attacks which can indicate absence of enough security for any system that uses that specific scheme. Use of passwords and user-identity in processing of login is one of the most popular scheme. Knowledge-based authentication (KBA) mechanisms utilize the memorized authentication secret that can be a text password (as numbers and characters), a personal identification number (PIN) or a graphical/image password such as CAPTCHA. The benefits of using traditional passwords is that there is no specialized personnel, hardware or software required, simple to use, and easy to remember. But that causes of many problems of using the password, that it is more likely to suspicious attacks and speculation of passwords.

A. Knowledge-based Authentication (KBA)
The evaluation of Knowledge-based authentication (KBA) is best when based on the following criteria that includes static and dynamic type (which illustrated in Fig. 2). A suitable security question should be acceptable to the largest segment population, possess answers that are easy to remember, have no redundant answers for the correct answer, and the answer of security question should not be simple to speculation to find out in searching. For any technique, it is based on KBA that requires to depend on four dimensions [18], which are known as KBA techniques (which illustrated in Fig. 3), memorability, usability, performance, and cost. Previous researches focus on the memorability and usability [16,17] that differs the Fig.  3 includes other collective techniques performance and cost. There are many research and applications that recommend combinations of these techniques to reach the good level of KBA. Memorability refers to the saving passwords is the browser. Usability is meaning that the uses of passwords in several applications that is vulnerable to attack easily. Performance refers to the strength of password. Cost targets reducing fraud from fraudulent claims.  Table I illustrates a comparative study between several motivation researches in authentication based on authentication type (which mentioned in Fig. 1), techniques, and the authentication mechanism. This comparison also mentions the advantages and disadvantages of these authentication mechanisms and techniques.

B. Knowledge-based Authentication Challenges
Knowledge-based authentication is the main target of study in this research. Fig. 4 mentions the challenges of KBA, it discusses main problems, security and usability as [8], but it includes the Characteristics of them that are divided into six Characteristics challenges. Table II discusses Table II. The two main challenges to KBA is Usability and Security. Each type of KBA has several challenges as the following: usability challenges includes usability in several applications, management problems, and the domino effect. The security challenge includes security issues, searchable personal data, and privacy. Mostly, attacks are the most feared challenge in all the mentioned challenges of KBA. The challenges are discussed in the following:

1) Security challenge
The main challenge of the KBA is how to be safe from attacks and hacks. The required challenge is how to  save personal information, as the username and password example are shown in Fig. 5, in various domains.
Previous researches discuss the state-of-the-art of knowledge-based user authentication mechanisms that are classified two dimensions: security and usability. Security authentication mechanisms discuss and compare the strength of each mechanism depends on various policies. The major discussion of this analysis and identify areas for further research and enhanced methodology with the target to drive this research towards the design of sustainable, secure and usable authentication approaches. This challenge divides into three parts: security issues of attack types, searching about the people's information or identity, and privacy challenges of the user accounts. Security challenge is divided into three types as the (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 2, 2020 following: a. Searchable personal The use of passwords that are the same in different social networks simplifies things for users but that is considered a challenge because of the repetition and circulation of the password. That may be caused by easy attacks or guessing the passwords.

b. Security Issues
There are several types of attacks and hacks with fake account or stealing data. Hackers can steal personal data and accounts and sell these data to benefit from the information. The main challenge of security is guessing the account's passwords. There multiple online and offline password guessing techniques that are in use. The famous method to prevent guessing while online is inclusion of CAPTCHA in systems. Offline method does not need computational power, but it is based on several times of guessing passwords and writing them in a repetitive way.

c. Privacy challenges
Privacy is implemented using privacy laws that protects client privacy and aim at controlling access to client's data. So, there is always a need to make verification questions that are not private to users and not discriminate for specific users to avoid attacks.

2) Usability challenge
Usability is considered a critical challenge of managing user's accounts due to the ease of use of the same password in several domains and applications. But it is a threat that threatens the safety and confidentiality of data. It includes management problems of various systems, the problem effect on domains, and usability challenges which can be interpreted in the repeatedly used passwords.

a. Management problems
Management has several problems such as the organization authentication of several users who want to access the system due to the similarity of passwords and registration questions. There are several conditions for suitable questions as the following. They do not include default values, texts, and the organizations have quick recovery techniques for any sudden attacks.

b. Usability compromises
The ability of usability challenges provides to the user some capability. Graphical/audio challenges can be employed. Using the same password in several platforms becomes risk of user accounts. Users are threatened by attackers via guessing accounts users and passwords without the user's knowledge. These guessing of passwords have several policies to minimize the challenge of passwords memorability.

c. The domino effects
The accumulative impact introduces a group of similar events. The idiom is best known as a mechanical impact and is utilized as an analogy to a falling row of dominoes.

C. Knowledge-based Authentication Security Measurements
From previous researches, we found that it is very important to find a way to evaluate authentications for various platform's policies [9,10,29]. The evaluation criteria are built based on a combination of three parts: password intensity, guessability percentage rate, and entropy measurement. a. Password intensity: It refers to the strength of using characters, numbers, and the length of the password. The password should not be related to the name or email. A password's intensity can be in one of these types (weak, medium, strong, and very strong).
b. Guessability percentage rate refers to the numbers of speculations from attackers or hackers to guess the user's password. This rate depends on the password's parameters of guassability that is used for improving the password intensity and saving data.
c. Entropy measurement: It is defined by one of the security measurements for each policy. Entropy refers to the random number of ways that users can choose the passwords from given keys that are related to the hardness rate of guessing the textual passwords.
Table II discusses a comparative study of knowledgebased authentication challenges. It reviews the strengths and weaknesses of each technique and suitability in different applications. A. Static: Any system requires strong password (fixed length such as from 6 to 8 characters). It has suitable number of characters and the password must include special characters and alphabetic letters. It also needs to minimize the complexity to make the passwords and authentication profiles and questions are easy to remember.
B. Dynamic: Any system requires to be dynamic to create suitable security question that are related to the large segments of the population. The answers to the question should be such that, they make it easy for users to remember them easily. But each question requires to have unique answer. This means that there should be no redundant answers for correct answer. The answer of security question should not be simple to speculation to find out in searching.
Since the main goal of user authentication mechanism is to improve the security of the information systems, several strategies are applied by the attackers to compromise the authentication to the system. Passwords have many challenges which include their high susceptibility to exposure to attacks, password guessing, and key-loggers. KBA includes techniques: memorability, usability, performance, and cost, and combinations of any of these techniques. Most of the challenges of implementing KBA techniques are in online services. Also, analysing and testing the strength are essential in comparing different KBA techniques. The comparison will focus on usability, memorability, security, and performance. The research will study cases of combining different KBA techniques, and the resulting framework, its strengths, weaknesses, and applications. Previous researches conclude that the importance of security challenge is bigger than usability. Several applications require to improve their security systems and authentication rules to protect users and to prevent attacks. This improvement might be necessary depending on the KBA security measures.

IV. OPEN RESEARCH TRENDS
This research can support researchers and students to make several motivations in this area to improve the performance of their security systems. First, they can work on solving the knowledge-based authentication challenges. In the Memorability challenge, the research can improve the memorability to make easy and simple to use passwords but while still adhering to the restrict rules. Use of the same password in several platforms should never be allowed. In the usability challenge, open research provides important information on how to make passwords and authentication for users based on KBA security measurements [30]. For the security issues challenges, open research goes forward to give information on how to prevent attacks and hacks. Second, dynamic KBA is very difficult to implement and is considered harder than Static KBA. Finally, there is no standard reusable model available for dynamic KBA that fits the need of all the organizations.

V. CONCLUSION AND FUTURE WORKS
This paper introduces the authentication survey and makes comparison of the different types of authentication mechanisms. It discusses the importance of knowledge-based authentication (KBA) from a security perspective. It also examines the challenges of knowledge-based authentication challenges and open more research areas. This survey concludes that there is a good criterion for knowledge-based authentication based on a textual methodology based on the types of KBA whether static or dynamic. Textual KBA is the most usable method although several platforms and studies suggest using an image or graphical authentication mechanisms. Textual KBA faces many challenges to be secure and safe from attackers and hackers. KBA includes four techniques as the following: memorability, usability, performance, and cost, and combinations of any of those techniques. The major challenges when it comes to implementing KBA techniques lies in online services. Also, the strength and analysis will be essential in comparing the different KBA techniques.