A recent healthcare experience pointed out issues with both security questions and knowledge-based authentication used to associate my account with my in-person activities.
I recently had some lab work done in connection with my annual physical examination, and as I have many times in the past, went to a nearby Quest Diagnostics center to have my blood drawn. What was new this time was that in the usual email asking me to answer a survey on my experience, Quest now offers the opportunity to view my test results. I get this information from my doctor, but thought I’d check it out.
The email had a link to their website, but the personalization of the link appears to only be used for tracking responses; it redirected me to a generic registration site. This means that they missed the opportunity to use the email link to get some additional assurance about who I am.
The registration page was minimal, with standard password rules and only two “security” questions:
What was disappointing was the availability of only 5 fairly standard prompts, with question 2 using the same ones (with the chosen prompt eliminated). The questions had the usual problems, ranging from ability to make an educated guess to low entropy (particularly in the case of father’s date of birth).
Following the account setup there was an attempt at identity proofing using dynamic knowledge-based authentication (dynamic KBA). I was asked the last 4 digits of my social security number (apparently to confirm who I claimed to be in the event of a name collision), which I declined to provide. I was then presented with three multiple choice questions, with 5 choices per question:
The answer to the first question, of course, is on LinkedIn. The former address in the second would have been easy to obtain from the Internet Archive. The third answer could have been determined by someone who knew where I grew up, since they’re assigned geographically. Or they could just guess.
Once I completed this, my account was set up. I was particularly unimpressed with the weak dynamic KBA. The best I can say is that I’m glad I created my account so nobody else could do so.