Knowledge-based authentication (KBA)
Knowledge-based authentication (KBA) is an authentication method where users are asked a personal question before they can proceed with their login or action. There are two types: static (e.g. security questions) and dynamic (using credit history or public records).
Frequently asked questions
What is KBA?
KBA is a way of authenticating users by asking something they should know, such as “what was the name of your first pet?” or “which street did you live on as a child?” Businesses often use KBA to confirm the user’s identity if they want to reset their password or perform another action. This type of authentication remains popular for its ease of setup and use.
What is dynamic knowledge-based authentication?
Dynamic KBA takes static knowledge-based authentication a step further by dynamically generating questions to authenticate users. This method requires access to substantial amounts of both historical and current user data to ensure questions are relevant to users and can’t be easily predicted by attackers.
Is knowledge-based authentication secure?
The level of security offered by KBA depends on the type used. While static verification offers the benefit of simplicity, the common nature of questions asked makes it easier for attackers to mine social data and find the answers.
Dynamic KBA, meanwhile, increases security by making it harder to research answers in advance. Because dynamic KBA generates questions on the spot, malicious actors can’t predict the knowledge they’ll need to circumvent security systems, while customers shouldn’t have a problem verifying their identity.
How are KBA questions generated?
With static KBA, companies usually choose common, easy-to-remember questions about the user’s past, such as the name of their first pet or their mom’s maiden name. Dynamic KBA, on the other hand, combs through customer data and uses this information to dynamically generate new security questions. These data sources can include collected personal and financial information, transaction histories, credit data, and any other information customers have agreed to share with businesses for the purposes of security.