Knowledge-Based Authentication (KBA)
Knowledge-Based Authentication (KBA) refers to using knowledge factors for authentication – i.e. pieces of information that supposedly only you know, such as a password or the name of your first school or pet. These are sometimes known as shared secrets because their security relies on them being known only to you and to the party you shared the secret with.
Knowledge-based authentication may include the following:
- Passwords or PINs: Passwords and PINs are traditional methods of authentication, and people are generally accustomed to using them. However, they aren’t secure because they can be easily guessed, shared, or stolen. iProov research shows that 75 percent of consumers have used someone else’s password to access a service online. Also, due to security breaches, 63 percent of consumers have had to change a password. Passwords are also not user-friendly. To make them more secure, they have to become more complex. This factor makes them harder to remember, which means that users are constantly using the “Forgot Password” function or finding workarounds (such as writing down passwords), which makes them less secure. Forrester Research estimates that the average cost of a single password reset done by help desk is about $70, while Gartner estimates that 20% to 50% of all help desk calls are for password resets.
- Security questions: A user is asked to answer a question, such as a mother’s maiden name or first pet’s name. This information can sometimes be found online, which means it often isn’t secure. Asking several security questions can also create friction, and cause frustration for the user.
Knowledge-based authentication can either be static or dynamic. Static might be your mother’s maiden name or your first pet’s name, for example. Dynamic shared secrets are when a bank might ask you questions about your account that only you should know – for example, to name the amount of a specific transaction you carried out on a given date.
Knowledge factors are vulnerable to theft if a victim is duped into sharing them with a fraudster. This can be done by a process called social engineering, in which a fraudster masquerades as a genuine party or manipulates users into revealing their shared secrets.
Additionally, the problem with both static and dynamic shared secrets is that users can forget them over time or don’t know the answers. This creates a lot of friction during an authentication process and can result in users dropping out altogether or resorting to manual processes that are costly and/or time-consuming.
If it is used, knowledge-based authentication is best combined with other, more secure authentication methods such as iProov’s biometric face verification technology as part of a multi-factor authentication or step-up authentication strategy.
Learn More About Knowledge-Based Authentication
Article: The Risks of Passwords