Digital Identity Blog

Knowledge Based Authentication

What is authentication?

Authentication is the process of proving that something is genuine. While the term can apply to establishing the authenticity of a fact, document, device, or other point of trust, we use it here to describe the process of using knowledge based authentication in establishing the identity of a person.

Knowledge based authentication is everywhere

Knowledge based authentication, or KBA, uses “what you know” to verify your identity. KBA conceptually requires an individual to possess and share information that is only known by that individual in order to prove that they are who they say they are.

It is a security measure that enables users to prove their identity when challenged. How many times have you logged into an account with a username and password today? Have you ever entered your mother’s maiden name to be able to reset a forgotten password? These are all examples of knowledge based authentication.

There are two types of KBA, static and dynamic.

1. Static KBA | shared secrets

   Static KBA is the most common type of authentication used today. On initial enrollment or account registration, an individual provides information that will then be used to grant access or reset credentials in the future. This information is shared between the organization providing the service and the end user. The user provides this information each time they authenticate, and the organization concurrently retrieves it to verify the user’s provided credentials.

2. Dynamic KBA | out-of-wallet questions

   Dynamic KBA methods are often referred to as out-of-wallet questions because the answers are not generally found in a person’s wallet. Dynamic KBA differs from static KBA in that it does not require the user to provide pre-determined information on enrollment into a system, but instead generates questions and answers pertaining to the user from public and private data including marketing data and credit reports. After the user provides general identity information like name and date of birth, the organization retrieves records and generates questions and answers to authenticate the identity of the user.

Why is using KBA alone no longer enough?

1. Information that is supposed to be “private” may be easily accessed by people that are not the genuine user.

   With the sheer amount of information on any given person available online through social, public records, and past exposures, a bad actor may be able to provide the answer to “What is the name of your first pet?” just as easily as you can. A quick search on https://haveibeenpwned.com/ can show some of the data breaches associated with your email address where some underlying KBA information may have been leaked.

2. The ubiquity of KBA has led to centralized data of personal user information and credentials.

   Many organizations store all user credentials on one centralized database, leading to devastating data breaches that expose vast amounts of personal data, such as the 2013 Adobe breach which impacted around 38 million users.

   There have been so many data breaches which means that knowing your mother’s maiden name or which street you lived on is no longer a reliable way to prove that you are who you say you are.

Are your passwords secure?

Although password use is ubiquitous and works on any device, it poses a number of security challenges.

1. The vast number of accounts that each person maintains makes passwords extremely challenging to manage.

   One study shows that the average person has 90 online accounts, nearly all of which rely on KBA! If one of your passwords is exposed in an account takeover attack, how many other accounts can be compromised along with it?

2. Even with best practices for password use and security in place, KBA credentials can easily be given away to bad actors using social engineering schemes.

   Personal credentials are exposed every day by unknowing victims of phishing and other social engineering schemes

3. Poor balance between security and usability leads to insecure credentials, frustrated users, and vulnerabilities that can affect both the organization and individual.

   While weak passwords are easily guessed, strong passwords can be easily forgotten. U.S. Gartner reported an average of 10% to 15% failure rate on KBA. Research from Keeper Security revealed that up to 17% of people use the password "123456" to 'secure' their accounts, while 50% use one of the top 25 most common passwords.

   When cybercriminals can easily compromise or guess credentials and genuine users are not able to remember them, KBA fails to serve the primary function – authentication! In fact, in last year’s NIST Special Publication on Digital Identity Guidelines, KBA was no longer considered an acceptable authenticator because of its unacceptably high risk of successful use by an attacker.

Room for improvement

In the case of passwords, it is difficult to balance security and convenience. Instead of protecting user accounts, authentication requirements can become a barrier to accessing services. Companies are increasingly implementing multi-factor authentication processes as the norm to add another layer of security and assurance to identity authentication. We see this happening with widespread adoption of biometric identity verification solutions in the financial services and healthcare industries for example, where privacy, security, and data protection are critical for regulatory compliance and user satisfaction.