There was a point in time where knowledge-based authentication (KBA) questions were an effective form of identification. But that time is gone. It’s likely that more personal information about each and every one of us is available on the web than any time before in history, and the growing amount of cybersecurity incidents each year isn’t helping. Pindrop’s data shows that fraudsters tend to pass such questions with success more than half of the time whereas the true person forgets the correct answers one third of the time.
KBA on the outs
Even though the security questions in KBA appear to be personalized, there are only so many questions a system can use, and for fraudsters it often only takes a Google search to crack the KBA code. Information from hacked databases is available for hackers to purchase, making it easier to undermine dynamic KBA strategies. Phishing attacks allow third parties to gain access to individual accounts and detailed user information, making security questions practically useless.
How can KBA still be useful for authentication?
However, there is still a significant familiarity between customers and KBA. Therefore, deploying a KBA solution shows your customers that you are serious about protecting their identity and raises their confidence in your business so it’s a great first step to build a better, long-term relationship with them.
While establishing KBA, the reliability of the source of the data is directly related to the level of security the authentication provides. Sources like existing account information or trusted third-party sources should be utilized to get to dynamic, non-traditional data and to generate unique questions.
KBA questions should aim at a balance between convenience and security. Asking a question that is too complex can create painful obstacles for customers to access their data hence negatively affect the customer journey. But a question that is too simple can be an invitation to fraudsters. Therefore, it is important to explain the security features to the customer and include reasonable and unique questions.
The difficulty of KBA-challenges should match the value of the credentials they protect. Individuals and organizations providing higher-value targets, who will be subject to reconnaissance prior to the attack, must boost their KBA challenges.
Multi-factor authentication (MFA) protocols require two or more identifiers from users before granting access. Businesses of all sizes are beginning to adopt complex rules for authenticating specific devices and are implementing single sign-on to streamline access without compromising data security.
In such an authentication protocol, KBA may still be used safely — not as a primary verification tool but as a secondary one. Companies with robust user data protected by strong encryption can draw from their own information to create dynamic KBA queries. Fraudsters may still be able to gain access to this data, but it requires more work than looking up public records or obtaining aggregated information.
In systems designed to operate on a contextual basis, KBA is useful to fall back on when users can’t meet the requirements for other forms of authentication. Using KBA along with patterns of the user’s behavioral actions in the authentication process would allow for termination of sessions or denial of access should unusual behaviors be detected.
KBA can satisfy the “something you know” requirement and doesn’t have to be limited to security questions. The combination of graphical passwords with something you are (fingerprint), or something you have (smart card) strengthens usability and authentication security.
In summary, it may be premature to fully cancel KBA but necessary to recognize that KBA’s role has been relegated from the featured authentication tool to a complementary method. Do not solely count on KBA but do not totally forget about it, either.