This paper proposes an enhanced knowledge-based authentication (KBA) solution for governmental organizations to improve information security amid increasing cyber threats. The current reliance on username and password schemes exposes weaknesses, so the authors suggest a multi-factor KBA approach that utilizes interactive question-answer techniques tailored to user roles. By doing so, the study aims to bolster user authentication while ensuring usability and privacy in line with Saudi Arabia's Vision 2030 objectives.

1. Developing User Authentication by Knowledge
Based Authentication Scheme in Governmental
Organizations
Ali alkhalifah
Information Technology Department
College of Computer, Qassim University
Qassim, Saudi Arabia
a.alkhalifah@qu.edu.sa
Saleh Albahli
Information Technology Department
College of Computer, Qassim University
Qassim, Saudi Arabia
salbahli@qu.edu.sa
Abstract— Information security plays an important role in
governments. Its realm has been increased nowadays, especially
with resent viruses’ attacks in different governmental
organizations. The authentication is aspect of information
security, its current scheme used nowadays in the systems is
depend on the login by user name and password in addition to
one-time password or traditional secret questions, which in turn
is usually easy to predicate. This paper proposes enhanced
knowledge based authentication solution which ensures and
provides more security and usability levels for governmental
organizations.
Keywords—Authentication; Knowledge based authentication;
security; security;usability (key words)
I. INTRODUCTION
More corporate applications and information nowadays
have been accessible through the Internet. Users are concerned
about their security of their activities that they apply on
implement in the cyber world or any other place where
authentication is required. The importance of Information
security realm have been increased these days. The new wave
of attack (Shamoon virus) in Saudi Arabia have an impact on
different organizations. Attackers are targeting the government
agencies and other large institutions. “at least 22 big
institutions were affected by the Shamoon virus. Therefore,
several Saudi organizations have been affected by the new
wave of attacks, including the labor ministry and other 15
government agencies so far”, Al Ekhbariya TV reported. Many
governmental organizations suffered from the huge cyber-
attacks since more than 35,000 computers were wiped and
destroyed. Authentication is an important part when we interact
with different technologies and online systems. The
authentication is an aspect of data security, its current scheme
used nowadays in the systems is depend on the login by user
name and password in addition to one-time password or
traditional secret questions, which in turn is usually easy to
predicate. The concept of knowledge based authentication
(KBA) is gaining wide acceptance gradually with time. It gives
the user an authentication on the basis of knowledge of some
secret information, regularly via a real-time interactive
question and answer process. The aim of this paper is to
provide enhanced knowledge based authentication solution
which ensures and provide more security and usability levels
for both individuals and governments.
II. PROBLEM SPECIFICATION
Many employees access online systems and may play different
roles in their account (see figure 1). They use one identity to
log in to the system. For example, the employee can use the
same username and password to access the system as user,
account manager or admin. A study shows that %61 of users
are more likely to share a work password than a personal
password [2]. In this regards, if the user authentication
information hacked, the malicious will have full control over
other roles' information. Therefore, it is important to have a
mechanism to detect whether the logged-in user is the same
user in control of the user's roles. Thus, secure authentication
solution should be developed. As solution KBA stands, which
depend on something user knows, it uses real-time interactive
question answer process in order to improve security and
reduce predication chance [1].
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 15, No. 9, September 2017
246 https://sites.google.com/site/ijcsis/
ISSN 1947-5500

2. Fig.1. User Authentication with Multiple Roles
III. RELATED WORKS
KBA is a method to verify the user’s identity by matching at
least one piece of information through providing secret
knowledge. The knowledge based authentication techniques
include text passwords, graphical passwords and visual
passwords [1, 4].
A study [3] investigated the usability and security of user
chosen secret questions as authentication method. The results
demonstrated the use of challenge questions alone is not
secure, and not trustworthy authentication mechanisms.
Hamilton et al., [6] observed that numerous schemes have
been advanced geared towards offering the necessary security
though it is hard to put in place especially for end users. The
use of passwords is one approach that has been suggested by
many researchers as an appropriate security measure. Many
studies showed that the use of passwords is faced with the
challenge of sharing and forgetfulness [1,2,4].
Research work in user authentication has achieved several
authentication schemes but the existing schemes focus on the
benefits instead of their drawbacks in terms of security, and
usability. A study [5] found that one-time password (OTP)
could be the better scheme to use in the application based on
the attributes, technology and other factors, followed by recent
message, one-time image, finger print authentication, GPS
authentication, respectfully.
Existing literature argue that KBA specifically secret
questions provide more secure solution. However, it has some
challenges such as quessablity and memorability [7,8].
Answers should be difficult to guess and have a huge answer.
Questions that can be guessed successfully in a small number
of attempts (for example, “What is your eye color?”) do not
make secure secret questions [3]. This research paper proposes
new secret questions as KBA which it depends in the roles of
the users.
IV. PROPOSED SCHEMA
As we discussed previously (problem specification section),
authentication system should provide strong scheme while
maintaining users' roles. We propose that KBA scheme as
multi-factors authentication method to allow users' roles while
influencing them specifically admins toward stronger
authentication (see figure2). In effect, this proposed KBA
approach makes choosing a more secure authentication
method by giving more authentication sessions and criteria in
each roles specified (see figure 3).
Fig.2. Proposed KBA Schema
Fig.3. Developed Security Criteria and KBA Variables
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 15, No. 9, September 2017
247 https://sites.google.com/site/ijcsis/
ISSN 1947-5500

3. V. METHODOLOGY
With Information Technology area, engineering research
focuses on discovering solutions to the problems. It applies
problem-solving in its direction and it contains two types. The
first type includes the application, developing, testing and
breaking of information technology [9]. This type explores
the existing knowledge of an area and classifying the problems
that require to be solved. The second type consists of
conceptualization, construction, prototyping, testing and
application of new knowledge [9,10].
This project will use the second type of oriented problem
research that includes experimenting and prototyping of new
technology to find the solutions for identified problems.
Through the literature review, a research problem will be
developed and categorized. With an identified problem, the
methodology and technique includes the design of an
information technology artifact in the attempt will be used to
explain and test this new authentication solution.
We will choose one governamental organizations in Saudi
Arabia(e.g Ministry, University , city-state ), to study and test
the proposed solution in its enviroment.
VI. RESEARCH CONTRIBUTION
Information security solutions play a major role of preventing
threats facing organizations in Saudi Arabia and the world in
general. The following points can be summarized the value of
the proposed model:
• Organizations need to perform risk assessments and
come up with identity and access management
solutions to prevent malicious attacks or other forms
of attacks. Therefore, an organization needs solutions
to secure both the data and the resources to prevent
damages which can incur losses to institutions.
• Developing strategies and perform best practice
guidelines to enhance security for individuals and
governments.
• Addressing critical attacks happened in specific
region and reduce the impact of them.
VII. CONCLOUSION
The objectives of this paper were the following.
Firstly,come up with identity and access management
solutions for government organizations to prevent
malicious attacks or other forms of attacks.Secondly, help
organisation to meet the aim of Saudi Arabia Vision
2030, to improve the processes and regulasation that
affect the digitization. Thirdly, Outline the concern over
the protection of identity information in the cyber realm.
Finaly, highlight the role of KBA in enhancing protection
of user authentication and privacy.
This research contributes to the society by helping the
governments' sectors to provide more secure and trusted
online services.
REFERENCES
[1] A.Alkhalifah, Geoff D. Skinner “Enhanced Knowledge Based
Authentication Using Iterative Session Parameters” World Academy of
Science, Engineering and Technology Vol.71 ,No.7,2010.
[2] IAM: OVERCOMING THE AUTHENTICATION CHALLENG ,2016
, white paper
[3] M. Just, “Account Recovery Challenges: Secure and Usable
Authentication,” Information Security Summit. 2009.
[4] Gkarafli, S. & Economides, A. A,“Comparing the proof by knowledge
authentication techniques” International Journal of Computer Science
and Security.Vol. 4 ,2010,pp. 237-255
[5] S. Sangeeth Kumar, and R Venkatesan. "Ranking of Authentication
Schemes Based on Critical Limiting Factors." International Journal of
Computer Applications Vol.92,No.7,2014.
[6] S. Hamilton, C. Carlisle, and A. Hamilton, “A Global Look at
Authentication.” Proceedings of the 2007 IEEE Workshop on
Information Assurance United States Military Academy, West Point,
NY 20-22 June 2007.
[7] A. Rabkin Personal knowledge questions for fallback authentication:
Security questions in the era of Facebook. July 2008.
[8] M. Jakobsson, E. Stolterman and S. Liu Yang. Love and Authentication.
April 2008.
[9] Hevner, A.R., et al., Design Science in Information Systems Research.
MIS Quarterly, Vol.28,No.1,2004,p.p. 75- 105.
[10] Creswell, John W. Research Design : Qualitative, Quantitative, and
Mixed Methods Approaches. 3rd ed. Los Angeles: SAGE, 2009.
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 15, No. 9, September 2017
248 https://sites.google.com/site/ijcsis/
ISSN 1947-5500