Knowledge-based authentication (KBA) [explanation and examples]
Knowledge-based authentication, also known by its acronym KBA, is an authentication method based on a series of knowledge questions that are used to verify a person's identity in order to prevent access of an unauthorized person to a place or most commonly today, to an account.
As the very meaning of KBA indicates, this type of authentication is based on the knowledge of information. That is, it is based on the premise that only the true owner of an account would be able to know the answers to the questions posed.
KBA authentication can be broken down into two main categories: static and dynamic. This division is made on the basis of the KBA questions which can ask for anything, from basic personal information to more complex information, such as bank transaction history.
Although this authentication mechanism has been widely used in the past, especially in password reset or account recovery processes, it is susceptible to vulnerabilities and creates high friction for users.
When fitting into a multi-factor authentication approach, KBA is part of the “knowledge” type of authentication, or “something you know”, along with passwords.
Below are the types of knowledge-based authentication, examples of different KBA questions, and the vulnerabilities associated with them.
As one of the most widely used security methods, static knowledge-based authentication is also known as "shared secrets", or "shared secret questions", and usually includes the following examples:
- What is your parent's name?
- What is the name of your pet?
- What is your favorite color?
- What is the name of the first school you went to?
The static KBA question is chosen by the user when creating an account. Thus both the question and the answer provided are stored to be used when identity verification is required.
The main problem associated with this type of KBA authentication, however, is that there is a high probability that the answers are publicly available or easily found, especially with so much private information available online and on social media.
This was evidenced in an incident in 2008 when the Alaska governor's email account was hacked. At the time, the password to Sarah Palin's Yahoo! account was changed since the answers to security questions, such as her date of birth and zip code, were readily available on the Internet.
Unlike the use of static KBA to verify a person's identity, dynamic KBA does not require the user to define a security question and provide the answer when creating an account.
This means that the questions are generated in real time from information that is associated with an ID number and is usually not available in the individual's wallet. For this reason, this type of authentication is also known as "out-of-wallet questions".
In the case of dynamic KBA, the questions are usually more specific and offer alternatives, as in the examples below:
- Which of these addresses matches one of the houses where you lived in 2005?
- Select the last digits of your social security number
- Which of these corresponds to the last purchase you made on your credit card?
The answers to these questions are gathered from credit reports, marketing databases, and market research. Although there is a smaller chance of this information being publicly available, it can still be obtained in data leakage incidents.
There is also a third classification, which is the advanced dynamic KBA. The main difference is that in this case the security questions are generated from proprietary data that is stored behind a firewall. For this reason, this type of KBA authentication is associated with a higher level of protection.
Alternatives to knowledge-based authentication
KBA identity verification has become less and less effective. As mentioned above, the answers to many security questions can be found by visiting a potential victim's social media profiles.
In addition, data leaks and advanced phishing tactics are making even the most sensitive information susceptible to improper access. That is one of the reasons multi-factor authentication is so important: additional authentication methods should be used to secure accounts. Also, authentication methods have evolved in a way that is increasingly making KBA obsolete and substituted by more secure methods such as the examples below:
Physical Security Keys
One of the main advantages of physical security keys is that they are physically held in the possession of the user, making them resistant to data breaches of phishing. If the user loses or damages their physical key, fallback secondary authentication methods are needed to regain access.
Information stored in a mobile phone can be used to assert a user’s identity. There are phone-as-a-token security solutions based on FIDO standards, which can be used as authentication both for desktop or mobile authentication. This method has grown in popularity with the rise of mobile devices, since the user doesn’t need additional hardware, such as a security key, to provide proof of identity.
Behavioral biometrics solutions offer the most advanced level of security over other authentication methods. Unlike KBA identity verification, behavioral biometrics uses the unique behavioral pattern of an individual that is virtually impossible to replicate.
KBA is no longer as popular as an authentication method for bank account password reset due to its weak security but it is still far from being obsolete.