W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

Shared Public Knowledge

From: <michael.mccormick@wellsfargo.com>
Date: Wed, 11 Apr 2007 18:47:23 -0500
Message-ID: <8A794A6D6932D146B2949441ECFC9D6802B4D38A@msgswbmnmsp17.wellsfargo.com>
To: <public-wsc-wg@w3.org>
I had to drop off the line for a few minutes at the top of the hour during this morning's meeting.  Regrettably that moment came during the Lightning Discussions just as Chuck Wade was responding to MEZ's presentation on Shared Public Knowledge (SPK).  By the time I rejoined to discussion had moved on to the next topic.

What I would have said given the opportunity is that Chuck is 100% right.  In our industry this battle has been fought many times and I see little good coming from taking a hard line against all online use of SPK.

Many US companies rely on services provided by the likes of Choicepoint & Acxiom to perform Knowledge Based Authentication (KBA) or Out of Wallet Authentication (OOWA) of consumers in certain situations, especially in cases where no prior business relationship exists between the FI and said consumer.

These KBA systems typically ask a series of randomly chosen multiple choice questions designed to score a user's knowledge of semi-private information about himself or herself.  Examples might include "What model car do you drive"? or "What’s the amount of your monthly mortgage payment?".  A determined criminal could undeniably obtain this information from public sources, perhaps even use it to impersonate others, but that doesn't mean there is no legitimate use case for KBA.

A blanket prohibition against KBA is unnecessary and would never be accepted.  Asking the user enough SPK based questions is not an unreasonable authentication technique as long as the associated risk is low, or when SPK is only being used to supplement some other credential for extra assurance.

The much maligned Mother's Maiden Name is an example of weak KBA … but much stronger ones are possible using the enormous databases of personal data that are available from brokers today.  So I think the SPK "anti-pattern" would benefit from being softened a bit to acknowledge there's a place for it under certain conditions.

Thanks, Mike

>Michael McCormick, CISSP
>Lead Architect, Information Security Technology
>Wells Fargo Bank
>255 Second Avenue South
>MAC N9301-01J
>Minneapolis MN 55479
>*>>	612-667-9227 (desk)		* 	612-667-7037 (fax)
>(	612-590-1437 (cell)		:-)	michael.mccormick@wellsfargo.com (AIM)
>*	612-621-1318 (pager)		*	michael.mccormick@wellsfargo.com
>
>“THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS FARGO"
>This message may contain confidential and/or privileged information.  If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein.  If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message.  Thank you for your cooperation.
>
Received on Wednesday, 11 April 2007 23:47:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:46 GMT