Why the Industry is Moving Away from Knowledge Based Authentication
Knowledge-based verification (KBV), also sometimes referred to as knowledge-based authentication (KBA), is a method of verifying someone is who they say they are by asking them a series of questions before providing access to applications or websites that contain sensitive data or enable financial transactions.
The typical KBV process:
- The user provides personally-identifiable information, like their name, birthday, and home address.
- The verifier automatically generates a series of multiple-choice questions – often sourced from publicly-available or legally-purchasable databases.
- The user responds to the questions and their answers are checked against the information in the databases.
The Problems with Knowledge Based Verification
The clues that you would need to answer most of the dynamic KBV questions are available online in many cases with a little research. You can find educational background, home values, mortgage payments, car registrations, birthdates and social security numbers on social media, public records, and the dark web (thanks to earlier data breaches).
Bots can easily collect this information and rapidly respond to the questions. In fact, some financial institutions are now putting controls in place that identify when questions are being answered too quickly as the speed might be indicative of a bot.
Systems that are solely reliant on KBV can’t adequately defend against access from unwanted sources. The average person can often guess the right answer to the multiple-choice questions using googling and common sense. When so much personal data has already been exposed by previous data breaches and uploaded to the dark web, the hackers’ job only gets easier.
Knowledge Based Verification Has Low Pass Rates
Often, KBV pass rates don’t break the 70th percentile. As questions increase in difficulty, and therefore security, the pass rate from legitimate users drops. In other words, KBV does not allow for a secure path that all legitimate individuals can pass.
When questions are generated from databases, they could ask for someone’s past five addresses or details about their credit history that users might not remember (if they ever memorized the information in the first place). Difficulty remembering seemingly-random facts is one of the primary reasons legitimate users fail these checks.
Alternatives to Knowledge Based Verification for Identity
KBV creates a situation where it is too easy for legitimate individuals to fail and arguably even easier for remote-based fraudsters to successfully attack at scale. In its most recent Digital Identity Guidelines (800-63-3), the National Institute of Standards and Technology (NIST) no longer considers KBV a strong piece of evidence for identity verification.
Instead, NIST suggests that data requiring high-assurance protection should collect at least two pieces of strong evidence, like government IDs, and once piece of fair evidence, like checking phone ownership with telecom providers. Both of these pieces of evidence can be verified with a higher degree of certainty than KBV:
- ID verification relies on machine vision to quickly confirm authenticity of the document and match the name on the document with the name submitted
- Mobile phone verification relies on a combination of factors like checking device tenure and looking for signs of fraud, such as SIM swaps
The only way hackers could defeat these methods is to get physical possession of the ID or device, which can’t be done in a remote and scalable manner.
In addition to being more secure, these methods are also more inclusive because they don’t rely on someone’s capacity to remember obscure details, and instead rely on IDs or mobile devices that most every American has.
Alternatives to Knowledge Based Authentication
Many organizations are also moving away from KBA as an authentication mechanism. NIST also recommends replacing those KBA security questions with multi-factor authentication (MFA). Both passwords and answers to security questions are considered “something you know” – they rely on information that should be in your head and nowhere else. However, as we’ve seen, much of that information is likely exposed on the dark web or can be easily guessed.
MFA, on the other hand, combines a password (something you know) with “something you have,” like a phone that can receive randomized codes, or “something you are,” like a fingerprint. That way, even if your password is exposed to hackers on the dark web, they won’t be able to access your account because they don’t have the physical phone.