NIST SP 800-63B, Digital Identity Guidelines, provides advice on passwords and password standards. Why does the guide recommend that knowledge-based authentication like “What was your mother’s maiden name?” not be used for processes like password reset and recovery?
Answer Options
Users may not remember the answer.
Knowledge-based authentication information is often easily discovered through searches and social media.
Knowledge-based authentication information is not a valid factor for MFA.
Attackers can easily recover knowledge-based information from compromised authentication stores.
Correct Answer: B
Explanation
Knowledge-based authentication information is often easily available via social media or searches. Thus, using it as part of password recovery processes is problematic for organizations. Users will typically remember answers to knowledge-based authentication questions. While knowledge-based authentication isn’t typically used for multifactor, something you know is a legitimate option, and knowledge-based authentication information could be recovered from compromised organizations, but this is not a common threat model.