Article

Knowledge based authentication (KBA)

Identity SecuritySecurity
Time to read: 5 minutes

Knowledge based authentication (KBA) is a user verification method that requires a person to answer at least one or more secret questions with answers that are presumably known only to the person being authenticated to verify their identity. It is a common security measure implemented in many online platforms as part of multi-factor authentication (MFA) or for password retrieval purposes.

There are two primary types of knowledge based authentication—static KBA and dynamic KBA.

What is static knowledge based authentication?

Static knowledge based authentication, also known as personal verification questions, occurs when users provide the answers to a set of questions when setting up their accounts. These questions often include information such as:

  1. their mother's maiden name
  2. their first pet's name
  3. the make of their first car
  4. the city where they were born

The premise is that only the legitimate account owner would know the answers to these questions. This form of knowledge based authentication is commonly used in many online platforms for the account recovery process.

Static knowledge based authentication has been criticized due to its vulnerability to social engineering attacks. With the increasing amount of information available online, an attacker may be able to find the answers to these questions by viewing a user's social media profiles or through other public sources.

What is dynamic knowledge based authentication?

With dynamic knowledge based authentication, the system generates questions in real time based on personal information from public and private data sources. For instance, a user might be asked to confirm previous addresses, loan amounts, or details about financial transactions. This makes it more difficult for an attacker to find the answers online.

Despite its advantages, dynamic knowledge based authentication has its limitations. It can be intrusive as it relies on collecting and correctly interpreting detailed personal data. It also will not work well for users who do not have enough financial data available to generate security questions.

Pros and cons of knowledge based authentication

Knowledge based authentication is widely used in the cybersecurity industry as a method of verifying a user's identity. The following examples of KBA's advantages and disadvantages illustrate why it is best used in conjunction with other authentication methods.

Knowledge based authentication alternatives

There are a number of knowledge based authentication alternatives, each with its own set of advantages and considerations. The optimal system or combination of systems should be determined based on the unique requirements of an organization, such as the required level of security, user convenience, and regulatory compliance requirements. KBA alternatives include the following.

Behavioral biometrics

This method analyzes the unique ways in which individuals interact with their devices, such as typing rhythm, mouse movement patterns, or how they swipe on a touchscreen.

Biometric authentication

Biometrics use unique physical or behavioral characteristics for identification. This can include fingerprints, facial recognition, voice recognition, and iris or retinal scans.

Certificate-based authentication

This authentication approach uses digital certificates to verify a user's identity. This method involves issuing a certificate to the user's device, which is then presented as identification for accessing a service.

FIDO2 and WebAuthn

The Fast Identity Online (FIDO) alliance's protocols, including FIDO2 and WebAuthn, allow users to use physical security keys or biometrics to authenticate without passwords. These standards provide strong, phishing-resistant authentication.

Hardware security tokens

A security token generates a secure login code that the user must enter when prompted. Tokens provide a physical element that must be present during authentication.

SMS and email one-time passwords (OTPs)

A time-sensitive, one-time password is sent to the user's registered mobile phone or email address. The security of this authentication method depends on the security of the email account or phone.

Push-based authentication

With push-based authentication, a login approval request is sent to a pre-registered device, usually a mobile phone. Upon receipt, the user can approve or deny the request.

Risk-based authentication

A risk assessment is used to determine whether the user is who they say they are based on their behavior, device, and location information. If a login attempt is considered risky (e.g., from a new device or location), the system may request additional verification.

Smart cards

Similar to security tokens, smart cards store and process information through an integrated circuit chip. They require a card reader to verify the user's identity.

Software authenticators

These are applications (e.g., Google Authenticator or Authy) that generate time-based one-time passwords on a user's device. This method combines the security of something the user has (i.e., their device) with something the user knows (e.g., a personal identification number (PIN) to unlock the device).

Considerations when assessing knowledge based authentication

While knowledge based authentication provides an extra layer of security, it should not be the only method used to protect user accounts. As with all security measures, it is important to have multiple security protocols and processes in place to provide redundancy in the event of a compromise.

It is also important to continually evaluate and update authentication processes as threats evolve and new technology is introduced. Finally, it is imperative to balance security with user convenience to ensure adoption and keep users from finding workarounds to evade tedious systems and processes.

Unleash the power of unified identity security

Mitigate cyber risk across the spectrum of access