Knowledge-based authentication or KBA is an authentication method that relies on a series of questions to verify a person’s identity. KBA is one of the oldest authentication methods to prevent fraud. Without answering a series of questions, a user can not access the account.
KBA at its core indicates that it’s a type of authentication based on the knowledge that only a user has. The authentication method is based on the idea that only the true owner of an account would have the ideal information and will be able to access the account.
Knowledge-based authentication has two different categories:
The distinction is based on the type of questions. The questions can range from basic personal information to complex questions.
While KBA sounds like the most secure authentication method, it is slowly becoming a thing of the past. Today, chances are you’ll see KBA on 1 out of every 1,000 websites.
The password reset and account recovery process has completely got rid of KBA as an authentication method. Moreover, KBA has become more and more susceptible to vulnerabilities in today’s time.
In terms of multi-factor authentication, KBA is part of the “knowledge” type of authentication. Which is “something a user knows”, alongside passwords.
Let’s break down the different types of KBAs below and the challenges associated with them:
Static knowledge-based authentication is one of the most used security methods and is also called “shared secrets”, or “shared secret questions”.
Most common examples include:
The user chooses the static KBA questions whenever they sign up for an account. So, whenever a user wants to sign up, they have to answer the questions that they chose.
The biggest problem with KBA is that it is open to vulnerabilities. With the rise of social media, fraudsters can find answers to a lot of questions.
The biggest example of this is an incident in 2008 when the Alaska governor’s email account was hacked. The password to her Yahoo! Account was changed by fraudsters. They accessed her account with security questions such as her date of birth, zip code, and other information that is readily available on the web.
Unlike Static KBA, dynamic KBA doesn’t require the users to define a security question when making a new account.
This means that all the questions about the user are generated in real-time. The questions are based on the ID number and aren’t usually available in the individual’s wallet.
This is the reason Dynamic KBA is sometimes also called “Out-of-wallet questions”.
The dynamic KBA questions are usually more specific and offer alternatives, such as:
The answers to these questions are based on the user’s activities. But, there’s a small chance that the information could also be available publicly. Especially with the growing number of data leakage.
There is also a third classification which is known as advanced dynamic KBA. The primary difference is that the security questions are generated from proprietary data that are stored behind a firewall.
KBA identity verification has become less effective since the rise of social media. As we stated above, answers to a lot of questions can be answered by visiting a potential victim’s social media profiles.
Not just social media, data leaks, and advanced phishing attacks also make KBA more vulnerable. That is one of the reasons multi-factor authentication is so important in today’s time. Additional authentication methods have to be used to secure accounts.
Other account authentication methods have grown in a way that is making KBA obsolete.
Today, businesses use a lot of other authentication methods apart from knowledge-based authentication.
Some of the most common authentication methods include:
One of the primary reasons to use security keys is that only the user has access to it. A physical key makes sure that the account isn’t vulnerable to data breaches/phishing attacks.
If the user ends up losing or damaging their physical key, users can rely on secondary authentication methods to regain access to the physical key.
Information stored in a mobile phone can also be used to identify a user’s identity. There are a lot of Phone-as-a-Token security solutions that businesses can use.
This method has grown exponentially over time with the rise of mobile devices. One of the reasons behind the popularity is that users don’t have to carry any additional security key or data.