BOX 5.1
Knowledge-Based Authentication

A form of authentication with similarities to both passwords and challenge/response is knowledge-based authentication. In this case, users present data elements that the verifier can approve on the basis of previous transactions and registration activity. For example, the Internal Revenue Service (IRS) and a number of state revenue agencies have implemented an electronic signature and authentication technique that relies on a taxpayer’s presenting data from the previous year’s transaction. In addition to checking traditional identifying information presented on a tax return, such as the tax identification number and date of birth, these tax authorities have the taxpayer sign a tax return by entering data from the previous year’s tax return. For instance, at the federal level, the IRS electronic authentication program for tax year 2001 allowed the taxpayer to sign his or her return with a self-selected PIN. The IRS verifies the identity of the taxpayer using the self-selected PIN when the taxpayer provides the adjusted gross income (AGI) for tax year 2000. In subsequent years, the taxpayer has the choice of using the same or a different PIN, but must update the AGI data for each previous tax year. By using the data from the previous year’s return, the IRS is able to authenticate the transaction on the basis of knowledge that presumably only the IRS, the taxpayer, and whoever might have prepared the return for the taxpayer possesses. This type of authentication relies heavily on the data in question being kept secure. (Chapter 6 in this report provides more information on electronic authentication in the IRS e-file program and the distinction between electronic signatures and authentication.)

Similarly, the popular online payment site paypal.com deposits a small amount into a user’s bank account and asks the user for the amount deposited. In effect, so-called knowledge-based authentication is a form of password. The crucial difference is that it is communicated to the user via some out-of-hand mechanism to which an imposter is presumed not to have access. Additionally, it is assumed that the legitimate user will look up the authenticator rather than know it; this is no different from a conventional password that is written down. The crucial distinction is that knowledge-based technology generally relies on a prior history of contact between the client and the verifier.