KBA stands for Knowledge-Based Authentication, and refers to a method of identity proofing based on the knowledge of the individual’s private information. KBA suggests that to prove they are who they claim they are, individuals must provide an answer for a pre-shared or computer-generated personal question.
KBA is used by a wide variety of website services, email providers, and financial institutions for identity verification purposes. There are 3 main types of KBA: static KBA, dynamic KBA, and enhanced KBA.
Static KBA (Shared Secret Questions)
Static KBA is one of the most popular elements of the MFA (multi-factor authentication) system, with regards to password recovery. To gain access to the account, the user is asked to provide certain information that he/she shared at the stage of opening the account. For example, the name of their very first pet.
Criteria of a Good Static KBA Question
- You should be able to remember the answer in any situation.
- There should be only one correct answer.
- The answer should not be obvious, easy to guess.
However, even with all of these there are some weaknesses in this authentication method which we’ll discuss later.
With dynamic KBA, the user doesn’t know what question will be asked as these are generated by the system independently without previous interaction with the respondent.
The question-answer pairs are selected based on live public records and other data sources. Besides that, dynamic KBA questions have an expiry period which means that a potential scammer won’t have enough time to research the answer.
Due to higher security, dynamic KBA is used to prevent fraud and ensure compliance in many financial institutions but mostly as a secondary authentication method.
Enhanced Dynamic KBA
Enhanced dynamic KBA combines both of the above listed approaches and uses user proprietary data, collected and stored behind the company firewall, to generate custom security questions. This in some situations allows to create a fully-fledged authentication solution to verify new and existing customers online.
Disadvantages of KBA
The main weakness of KBA is the vast amount of personal information available online.
The second problem is the memorability of the answers, especially if they concern personal preferences that tend to change over time.
Some identity verification services try to address these by using secret images or secret sounds, which can be stored and retrieved the same way as written answers but can’t be found on social networks or elsewhere and not so easy to remember.
However, even with all enhancements and improvements KBA remains an imperfect authentication method. Here are a few reasons why:
- Friction. It increases customer frustration and churn.
- Compliance issues. It doesn’t align with many regulations. For example, in June 2017, the National Institute of Standardsand Technology (NIST) stated that “Knowledge based authentication, where the claimant is prompted to answer questions that can be confirmed from public databases, also does not constitute an acceptable secret for e-authentication.”
- Risk of insider fraud. There is nothing in KBA that protects the answers for the secret questions from internal leakage. In the Wells Fargo scandal of 2016 thousands of employees submitted applications for more than 500,000 consumer credit card accounts and 1,500,000 million deposit accounts.
- Costliness. It wastes the security department’s resources needed to provide for 2-factor authentication or other additional risk-mitigation methods.
Modern technologies offer several solutions that deliver much better results than KBA, two-factor authentication and SMS all together. Some of these are:
- ID verification: scanning a user’s government-issued ID.
- Identity verification: proving the applicant’s identity with a valid government-issued ID that is compared against a selfie in real-time.
- Document verification: establishing the proof of address by scanning and extracting data from utility bills, credit card and bank statements.
- Authentication: determining the identity of your users with 3D selfie technology.
All of the above-listed allow to ensure faster and more reliable authentication, observance of KYC requirements, and positive user experience. Besides that, they are much cheaper and easier to implement than it may seem.