PINDROP BLOG

“Free”: The True Costs of Knowledge Based Authentication Questions?

Imagine that you are trying to log in to your 401k account after a long time and as luck would have it you don’t remember the password. You try to reset the password online but you don’t remember the answers to the security questions you had set up while opening the account. After several minutes of a frustrating online experience, you call the customer service number but find out that there is no option to reset the password in the automated menu. As a last resort, you punch out to the agent. After an eternity of listening to the hold music, you finally reach the agent and ask them for help. Half an hour has already passed when you hear the agent say “please answer these five randomly generated questions so that we can authenticate you”. You spend another 15 minutes as the agent spells out every letter on five different license plate numbers to identify a car that you may have owned a decade ago but have now forgotten about. By the time you finally get your password reset, you have lost an hour of your productive day.

These experiences range in their level of frustration but are very common. At the core of this experience is the process of identification which in turn is based on the very foundational element of Knowledge-Based Authentication questions or KBAs. These KBAs can be fixed or dynamic (multiple choice questions generated on the fly like in the license plate example above). But in the end, the answers always depend on something you know, not something you are or something that you are doing. 

It is commonly understood that KBAs are frustrating, not just for the consumers but for the contact centers themselves. Pindrop research shows that up to 30% of customers struggle with KBA based identity questions, while more than half of criminals pass them. According to a Forrester report1, a North American bank reported that knowledge-based authentication (KBA) has had a 25% false reject rate, which resulted in an unacceptable level of customer dissatisfaction. Adopting voice biometrics allowed the bank to reduce false rejects to less than 3%. 

But these observations have been known to the industry for a long time. Steps have already been taken by companies to reduce their reliance on KBAs and adopt more friction-less biometric and behavioral modalities. However, despite the customer dissatisfaction, delays, longer wait times, and ongoing data breaches, KBAs do continue to persist and are still one of the more prevalent forms of consumer identity and verification. Why is this so? What are companies losing out on by sticking to KBAs? How much value can be unlocked by removing KBAs from the ID&V process? We explore these topics in this blog.

The Future of KBAs

The Identity and Verification market is between $6-8B globally2 which includes KBAs and credit-based identity data. In the US alone there are 9 leading identity verification solution providers that leverage vast repositories of personal consumer data, credit files and demographic databases to create dynamic KBAs that are used by FIs to protect new account opening applications and remote channel transactions. The fact that KBA’s are joined at the hip with the credit assessment processes that underpin financial transactions and the core businesses of many companies has entrenched KBAs into their operational folds. This deep operational embedding makes KBAs sticky in the short term and continues to offer some value as a secondary identification tool. But the gravitational pull of consumer experience and fraud prevention is pulling companies away from KBAs. 

Aite-Novarica Group found that the importance of KBAs amongst financial institutions has been diminishing with 60% of the respondents either not using KBAs or reducing their usage. In addition, the National Institute of Standards and Technology (NIST) has stated that KBAs can no longer be used as a means of authentication for governmental agencies. Many FI executives follow NIST guidelines closely and view them as global best practices.

Source: Aite Group interviews with 20 fraud executives from 18 large North American FIs, July to October 2019
Source: Aite Group interviews with 20 fraud executives from 18 large North American FIs, July to October 2019

KBAs are on the way out and need to be replaced with more comprehensive and sophisticated biometric and analytical tools.

The Real Cost of KBAs

A few interesting trends are taking place in contact centers. 

Source: Contact Babel The US Contact Center Decision-Makers’ Guide, 2018 and 2021

Not only has the average call duration increased by almost 2 minutes, the cost of servicing those calls has also been inching up. It now costs up to 40% more to handle a call compared to the cost three years ago.  More importantly, the cost to authenticate those callers has increased by 22c per call. Covid-19 has certainly contributed to and exacerbated these trends by further increasing the overall call volumes for contact centers.

These trends indicate that customer service is getting longer, costlier and more complex. Insofar as KBAs are used in this process, they will continue to be part of the problem. KBAs can further elongate the authentication process and increase call durations. But the real cost of KBAs really lies in its effect on customer experience. 

Contact Babel research3 shows that caller abandonment rate i.e. the rate at which calls are not contained in the self-service channel, has been increasing. The abandonment rate has increased from 5.4% in 2012 to 6.1% in 2020. Although this rate of increase is small, it is an important flag that shows that customer satisfaction may be adversely affected. In particular, the report states that the main reason for abandoning self-service sessions was that the self-service function simply does not offer what the customers want. Forrester Research4 states that only 18% of customers will continue association with a brand after it has disappointed them. These factors demonstrate that poor customer service comes at a significant cost in terms of customer attrition, revenue churn, and loss of brand reputation. Time delaying and friction-inducing KBA process is more likely to further hurt customer experience than help it. It is increasingly evident that relying on KBAs may not be the best strategy if the goal is to reduce long-term customer servicing costs, while still improving customer experience.

Unlocking the Financial Value of KBAs

Between increasing customer satisfaction and reducing friction, there is a substantial amount of value locked into contact center processes. Every second that a KBA adds to the call wait time or every percentage point of friction it creates for customers, costs the company in terms of cost increase or revenue loss. Not to mention the gates it leaves open for fraudsters to walk in. Unlocking the financial potential trapped in KBA processes is paramount to a company’s long term success.

Improve Security Posture

Contact centers spend anywhere between 20-60 seconds per call authenticating callers. This includes approximately 3-4 KBAs5. Reducing each KBA shaves off precious seconds from the call handle time which not only reduces call processing costs but also helps contact centers to process more calls. Using ANI validation tools in combination with ANI match and call risk assessment can help contact centers remove at least 1-2 KBAs. A more detailed assessment of the financial value of KBA reduction is outlined here.

Reduce Average Handle Time (AHT)

Several high-profile data breaches have already released a large trove of personal information belonging to millions of consumers into the fraudster’s domains. In addition, fraudsters can leverage several brute force solutions, caller ID spoofing tools and sophisticated fraud rings to extract valuable information out of unprotected IVRs and use that information to pass KBA authentication and take over consumer accounts. KBAs are largely powerless to stop these attacks. After a tumultuous 2020, there has been an increase in the volume and variety of fraud attacks. In 2020, at least $36 Billion6 was mostly lost to unemployment fraud—a full 10% of the $360 billion in CARES Act unemployment benefit funding. In the UK, as much as £1.5B may have been lost to fraud through Universal Credit Payments. The risk and the cost of fraud is overwhelming. Not to mention the negative impact on the brand reputation. Reducing reliance on KBAs is a vital step towards stopping fraud.

Enhance Customer Experience

Removing KBAs with the help of passive tools like ANI validation or multi-factor authentication can contribute to a better authentication process. Pindrop research shows that an improved authentication process correlates with more positive customer satisfaction and Net Promoter Scores (NPS). Forrester’s research report found7 that 1 point improvement in customer experience index score could increase revenue by $110M for a large financial institution. 

KBAs are a legacy tool that no longer supports the goals of the next-generation contact centers. Removing KBAs can help improve customer satisfaction, protect the contact center and unlock a substantial amount of value for the business.

1Forrester – Best Practices And Trends: Voice Biometrics, 2021

2https://www.mordorintelligence.com/industry-reports/identity-verification-market; https://www.industryarc.com/Research/Identity-Verification-Market-Research-510330

3Contact Babel The US Contact Center Decision-Makers’ Guide, 2012 and 2021

4Forrester Research – “Transform The Contact Center For Customer Service Excellence, 2021

5Data from Pindrop research

6Pindrop 2021 Voice Intelligence Security Report

7Forrester Research – How Customer Experience Drives Business Growth, 2020