By Monica Hesse
Washington Post Staff Writer
Sunday, October 7, 2007
Please select and provide answers for three of the following questions:
What is your mother's maiden name?
What street did you grow up on?
What was your middle school mascot?
What color was your father's Chevy in 1988?
When you dinged that Chevy, what was the cost, in dollars and cents, of the repair, and which REO Speedwagon song was playing at the mechanic's?
Who are you?
Thank you. You will be directed to your account shortly.
* * *
Knowledge-based authentication. This is the security system used by financial institutions to determine whether users are who they say they are. Developed in the 1990s, it's now a $57 million business online -- up from $22 million in 2006, according to industry research firm Aite Group -- employed by big names like Vanguard, Wachovia, Bank of America and Mellon.
But the method, designed to be a simple and effective Q&A, has philosophical repercussions.
Like this one:
Katie Flahive was born in a town called Chillicothe, pronounced "Chill-uh-coth-ee." Her family moved when Flahive was small; she never bothered to nail down the spelling. "My father always said I'd have to use that information later in life. I couldn't imagine when." When arrived with the security question, "What city were you born in?" Now Flahive wonders: Did she spell it correctly when she created the account? Which wrong version did she use? Chillucothy? Chillicotheeeee? It's almost existential. Where is she from, anyway?
What makes a piece of trivia memory-worthy? In the limited brain space allotted for memory, how do we decide what to shelve and what to pitch? And are those decisions made through thoughtful reflecting on what is meaningful to us? Or are they made when a financial institution commands us with a security question?
* * *
Through an online demo, Verid is telling me who I am. Verid is the division of security firm RSA that specializes in knowledge-based authentication, and this is the latest technique to stay a step ahead of clever identity snatchers. Verid is good at what it does; its clients include JPMorgan Chase and E*Trade Financial. Verid knows my cellphone number. It knows that I grew up on McClun Street. It knows that my mother got remarried, to a man named Don Carlson.
Verid, whose tech offices are located in Herndon, is making sure that I know this information, too, by presenting it to me in the form of multiple-choice questions:
What month was Augusta Hesse born in?
A) May B) August C) October D) I do not know this person.
I don't know her. For sure. Unless, hold on -- is that my great-grandma? Didn't she have a name that started with an A? But would they expect me to know my great-grandmother's birthday? She died when I was 8!
I am sorry, Verid, sorry that I am the weakest twig in my family tree.
I didn't choose the question. Unlike traditional shared knowledge authentications, in which the user picks the test and the answer and regurgitates it with each sign-on, Verid vacuums public records for factoids, then tosses them at the user at random.
Other samples from the demo:
Which of the following cities does [Person X] live in?
Which of the following age ranges most closely matches the age range of [Person Y]?
What color is your [Car Z]?
What height is on your driver's license?
It's the newest wave of authentication. If someone attempts a "high-risk" transaction with one of Verid's clients -- like accessing an account from a public computer at 2 p.m. rather than their typical 7 p.m. laptop log-in -- they might be hit with one of Verid's tests. RSA also has a division that develops traditional shared-knowledge questions.
With the exception of that last question (which, if your wallet's not handy, requires racking your brain to remember how baldfaced your last height lie was), most of the tests work exactly as they're supposed to: minimal brain energy for the authentic user, confusion for the fraudster.
Creating each question is a blend of art and science called Human Computer Interaction, a field of computer science dedicated to making computers more attuned to a person's needs.
"Computers are like very dumb people, but they're very fast at being dumb," says Jason Hong, a professor at Carnegie Mellon's Human-Computer Interaction Institute (HCII). "They can immediately perform any task we tell them how to do. But they're not robust" -- meaning they're easily susceptible to crippling errors. Humans are very robust. We learn. We have clarifying conversations to help us out: When you ask what city Person X lives in, do you mean his summer home or his winter home?
Humans are equipped with both intuition and life experience, which allow them to know, for example, that Don, Donny and Donald Carlson are all the same person, as are Kim, Kimmy and Kimberly Smith. At the same time, we would realize that Kim Min-ho was not short for Kimberly. Kim in that context is a Korean surname.
Hong and his colleagues work to improve this quality in computers. (For the Kim problem, a massive database with thousands of names might be used to train the computer to recognize cultural distinctions.)
It's a mirror trick. Computer scientists use human experience to teach computers how we think. Then the computers use that information to test who we are.
Verid knows more than some people would feel comfortable with, which COO Chris Rickborn understands. "We don't want the consumer to feel like they're divulging information," he says. "They're just verifying information the company already has."
The evaluation process is entirely automated and done on a curve. Verid would expect you to know what city your brother lives in. It will cut you some slack if you can't remember the name of his ex-wife's niece's husband, or the address you lived in for three months 10 years ago.
It's like a graded "This is Your Life: Online Edition." It's a way of taking you back to places you once lived, people you once associated with, things you once bought. It's a five-minute refresher course in what it has meant to be you, with parameters defined by a security company and its algorithms.
But what if you fail that course, blanking on an address/name/car color? Not to get all Woody Allen, but does that mean you're not you? Or are you just missing out on the things that all people are supposed to remember?
Augusta Hesse. I really don't know her.
* * *
So you can't remember your first boyfriend. So what. What does that even mean, anyway? Do they want the guy you kissed in eighth grade during that awkward game of Seven Minutes in Heaven? Or the guy who took you to "Crocodile Dundee" a year later? Stupid question.
But what if this is a situation where the whole is greater than the sum of its parts -- not affecting us individually but impacting society as a whole? When the memories we are expected to have become codified, they can work as an indirect commentary on what kind of lives we should lead.
David Rubin is a professor of psychological brain sciences at Duke University who studies the way we develop autobiographical memory. He is, he says, a complete failure at security questions. "They ask me about the homecoming queen but I went to an all-boys school. We didn't have one. I can't remember what we called my childhood goldfish. The city I was born? Too easy. You ever heard my [Boston] accent, you could figure out that one."
The problem, Rubin says, is that security questions are geared toward people who have led "picket fence" lives -- married high school sweethearts, never divorced, never left home towns. These people have stable memories because they are surrounded by the cues that cement recollections. Remembering your favorite childhood treat is easy when you still drive past the Steak 'n Shake every afternoon.
But most people's lives are messy, filled with spouses who ask for divorces, pets who die, best-friends-forever who move away only to be replaced with new best-friends-forever.
Most companies try to keep their questions as universally applicable as possible -- or to provide a wide range of options for people who aren't married, don't have children, didn't attend college. Daniel Levitin, who studies cognitive psychology at McGill University, speculates that so many questions refer back to adolescence because raging hormones make us perceive events from that period as particularly important.
But even those universal questions are not so universal. Wachovia's security question team is a geek squad not of cognitive psychologists but of computer programmers and risk management specialists. They're great with security. But as Levitin points out, "The kind of person becoming a computer programmer is not necessarily representative. They might think a reasonable question is, 'Who was Mr. Spock's second cousin?' "
At Carnegie Mellon's HCII, Hong says, there is a frequently repeated motto: "The user is not like me." "When we look at how we can use technology in homes to aid families, it's really easy to think, 'Well, I grew up in a family. I know what it's like,' " Hong says. "But then you start designing for your specific needs."
No one is going to be representative of everyone. We all remember the things that we personally find important.
And so if you don't share the same values as the question writers -- if you never went to a basketball game, if you didn't have a best man at your wedding -- then what? "We feel guilty when we learn that a lot of people remember something that we don't," Levitin says. "It's a strange part of our national psyche. Even as we're rugged individualists, we want to fit in."
So, being good humans, we learn things. We learn that we are supposed to remember our middle school mascots. That we are supposed to clear away brain shelf space for our homecoming queens -- even if we weren't personally invited to homecoming.
Picture that dinged-up Chevy of your father's. Maybe it's easy, because maybe it was important to you. Maybe you remember not only the exterior paint job but also the color of the seats in the back, and how the vinyl stuck to your legs the first time you kissed your girlfriend, who is now your wife.
But even if you never got lucky in the back seat, even if you only borrowed that car one time, remember the car anyway. Because even if that Chevy doesn't seem like it affected who you are, you never know when the information might be used to determine . . . who you are.