Knowledge Based Authentication fails to deliver

Knowledge based authentication (KBA) has long been used as the backup verification method when someone has forgotten their password. But even if it is regularly in use, it fails to deliver on the identity verification promise.

Static and dynamic KBA

There are two different types of KBA: static and dynamic. Static KBA is a list of questions that have been answered ahead of time by the user. These security questions, or shared secret questions, need to be answered at a later time, like when the user forgets their password.

Dynamic KBA does not require the user to answer the shared secret questions ahead of time. The questions are generated in real-time and require answers that only the user should know, or be able to provide with information they have readily available. This is also referred to as out-of-wallet questions. Examples include security code on the credit card or driver’s license number.

Two reasons why KBA fails

There are two reasons why KBA fails to verify a user’s identity. First, hackers can easily find the answers to the questions online. A simple Google search may reveal your date of birth, pet’s name, and favorite food. This makes KBA a vulnerable way to verify user identity.

The second reason is related to the insecurity of the first as simple questions are replaced with more obscure shared secret questions. Instead of asking your mother’s maiden name, the shared secret could be the furthest place you’ve travelled to. What often happens is that people forget the answers they had previously provided, and can’t prove their own identity.

Whether it’s people forgetting the answers to their shared secrets, or hackers finding the answers online, knowledge based authentication fails to verify a person’s identity.