The KBA Tax: What Knowledge-Based Authentication Really Costs Health Plans

Most member calls still open the same way: can you confirm your date of birth and the last four of your Social? It feels like a security checkpoint. For member interactions with their health plan, it’s closer to a toll, one every honest caller pays while the people it was built to stop walk right through.

Knowledge-based authentication (KBA) does very little for security while quietly taxing every legitimate call. At high call volumes, that combination compounds into a costly line item, in terms of both dollars and member experience.

Why does knowledge-based authentication fail?

KBA rests on a premise that no longer holds: that the answers are secret. Fraudsters bypass it in more than 50% of attempts using stolen personally identifiable information (PII), and one-time passwords are only marginally better, beaten roughly 25% of the time, according to Pindrop data. Payers ask members to tolerate KBAs in the name of security, even though it increasingly fails to protect them.

The reason is supply. The answers KBA depends on (names, birthdates, the last four of a Social Security number, a mother’s maiden name) are cheap commodities. A full identity package with name, SSN, date of birth, and address sells for about $35 on dark web marketplaces, and in healthcare specifically, stolen identities used to commit Medicare fraud have gone for as little as $8 apiece. No wonder nearly 60% of organizations report fraudsters using stolen PII to get past KBA. When the secret is something anyone can buy, verification becomes an adversarial exercise that defenders lose.

How does KBA tax handle-time on every call?

Every multi-step KBA sequence typically adds 30 to 60 seconds of handle time to every legitimate call, according to data derived from Pindrop case studies, MSUFCU and a large U.S. insurer. That delay lands on the member asking about a prior authorization, a claim, or a referral, before they reach the reason they called. It may be trivial on one call, but it is not trivial across thousands a day. It slows resolution, frustrates members already navigating a stressful health or coverage issue, and burns agent capacity that could be spent helping them.
That is the cost of keeping a control that does not work: you pay it on every good call, and the bad calls still get through.

What does knowledge-based authentication cost in dollars?

It depends on the call volume and how long your current KBA processes take per call. Take a U.S. health plan handling 10 million member-service calls a year, roughly 27,400 a day. Assume agents earn about $33 an hour, or $0.55 a minute. Apply that rate to the handle time KBA adds:¹

And that is agent time only. It excludes IVR abandonment from authentication friction, repeat calls triggered by failed verification, and the downstream cost of the fraud that got through anyway. In short, KBA taxes you on every honest call and waves attackers through.

There is a revenue angle too. For Medicare Advantage plans, member experience feeds CMS Star Ratings through the CAHPS survey, and Star Ratings drive quality bonus payments that ran approximately $12.7 billion in 2025. Authentication friction can pull on the very ratings that determine those bonus dollars.

Why doesn’t KBA work in today’s threat landscape?

Bad actor tactics have changed as quickly as generative AI has gone mainstream. In December 2024, the FBI warned that criminals are using generative AI to clone voices and impersonate people to access financial accounts at scale. This warning was reaffirmed in the FBI’s recent crime report.

One Pindrop healthcare customer logged more than 30,000 bot calls in a single year—automated callers hammering the IVR and the same KBA prompts a human would face.³ Static knowledge questions were never built for an adversary who can synthesize a convincing voice and already holds the answers.

In its recent policy work, the American Medical Association called for explicit protections against AI deepfake impersonation, treating synthetic voice and likeness as a patient-safety issue rather than a niche security concern. For health plans the lesson is the same: synthetic voices and deepfakes now threaten patient safety directly. Passing a knowledge check no longer proves who was actually on the line. It only proves the caller had the answers, and those are exactly the ones a modern attacker can easily obtain.

How does passive authentication address the KBA problem?

Passive authentication shifts dependency away from KBA limitations, offering both a streamlined patient experience as well as a more secure authentication layer. Pindrop^® Passport authenticates trusted callers in the background, using characteristics of the call and the caller, without requiring extra prompts. One large U.S. payer that deployed it saved 60 to 75 seconds per call on 75% of eligible calls, about $1 per call in operational savings.²

On a 10-million-call book, that is 7.5 million eligible calls at roughly $1 each, about $7.5 million a year. Savings on that scale offset a meaningful share of the investment and, at sufficient volume, can fund it outright. Stronger fraud controls, a better member experience, and a clear return all point the same way.

What do KBA processes cost health plans?

KBA is two liabilities at once: a control that does little when attackers arrive, and a cost charged to every legitimate member who calls. Replacing it with passive authentication cuts handle time, improves the member experience, and builds a defensible identity record that defends against increasingly capable attackers.

What KBA costs you to keep, and what it still fails to stop, is worth putting a number on.