KBA stands for Knowledge-Based Authentication, and refers to a method of identity proofing based on the knowledge of the individual’s private information. KBA suggests that to prove they are who they claim they are, individuals must provide an answer for a pre-shared or computer-generated personal question.
KBA is used by a wide variety of website services, email providers, and financial institutions for identity verification purposes. There are 3 main types of KBA: static KBA, dynamic KBA, and enhanced KBA.
Static KBA is one of the most popular elements of the MFA (multi-factor authentication) system, with regards to password recovery. To gain access to the account, the user is asked to provide certain information that he/she shared at the stage of opening the account. For example, the name of their very first pet.
However, even with all of these there are some weaknesses in this authentication method which we’ll discuss later.
With dynamic KBA, the user doesn’t know what question will be asked as these are generated by the system independently without previous interaction with the respondent.
The question-answer pairs are selected based on live public records and other data sources. Besides that, dynamic KBA questions have an expiry period which means that a potential scammer won’t have enough time to research the answer.
Due to higher security, dynamic KBA is used to prevent fraud and ensure compliance in many financial institutions but mostly as a secondary authentication method.
Enhanced dynamic KBA combines both of the above listed approaches and uses user proprietary data, collected and stored behind the company firewall, to generate custom security questions. This in some situations allows to create a fully-fledged authentication solution to verify new and existing customers online.
The main weakness of KBA is the vast amount of personal information available online.
The second problem is the memorability of the answers, especially if they concern personal preferences that tend to change over time.
Some identity verification services try to address these by using secret images or secret sounds, which can be stored and retrieved the same way as written answers but can’t be found on social networks or elsewhere and not so easy to remember.
However, even with all enhancements and improvements KBA remains an imperfect authentication method. Here are a few reasons why:
Modern technologies offer several solutions that deliver much better results than KBA, two-factor authentication and SMS all together. Some of these are:
All of the above-listed allow to ensure faster and more reliable authentication, observance of KYC requirements, and positive user experience. Besides that, they are much cheaper and easier to implement than it may seem.