Why you need an alternative to knowledge-based authentication (KBA) for identity verification in the digital age
KBA is an authentication method that is used to verify an individual’s identity before they can proceed with their login, onboarding or transaction. Before we dig into why you need to go beyond KBA in your digital onboarding process, let’s take a step back and answer some frequently asked questions regarding this method of authentication.
FAQs on KBA
What is KBA identity verification, exactly?
KBA is a way of authenticating a new user by asking a series of questions to verify their identity. This is to keep information secure and prevent unauthorized access to personal accounts.
The set of questions asked during the KBA identity verification process should meet the following criteria:
- Is easy to remember.
- There is only one correct answer.
- Is difficult for someone else to guess or to research.
- Is identifiable to most users.
Being knowledge-based, KBA identity verification can be broken down into two main categories: static and dynamic. Both static and dynamic KBA processes rely on the assumption that only the end-user will know the answers to the questions posed, enabling secure identity verification.
What is static KBA?
Static KBA identity verification is one of the most widely used and easy-to-set-up security methods and is also known as “shared secret questions” or, simply, “shared secrets.” The user chooses the questions in advance and sets the acceptable answers.
Static KBA question examples:
- What city did you meet your spouse in?
- What was the name of your first boss?
- What is your mother’s middle name?
- Who was your childhood best friend?
The answers to these questions are stored and when it is time for the user to verify their identity or reset a password, they have to provide the answers. Simple and straightforward.
What are the pros of static KBA?
Beyond the simplicity of static KBA identity verification, the value in this method of KBA authentication is in its ability to be customized, yet still easy to remember.
What are the cons of static KBA?
The drawbacks of static KBA identity verification are significant because, let’s face it, there is a high probability that the answers can be beaten. This is especially the case in this digital age where so much personally identifiable information can be easily accessed online and via social media. Let’s face it, we don’t need a study by Google and Stanford University telling us that a hacker has a 20% chance of correctly guessing “pizza” as the answer to the question “what’s your favorite food?” Worse still, 16% of static security questions had answers routinely listed in online social media profiles!
What is dynamic KBA?
Unlike static KBA, dynamic KBA identity verification does not involve the user choosing their own questions. Instead, the questions are “out-of-wallet,” generated in real-time based on a collection of data sources including personal and financial information, credit data, transaction histories and any other information an individual may share with a business for the purpose of security.
Dynamic KBA question examples:
- Which car was registered to you in Seattle in 2012?
- What was your street address when you were 15 years old?
- Which of these cities have you lived in in the past? (Select the correct answer from a list of addresses)
What are the pros of dynamic KBA?
Because the questions asked during a dynamic KBA identity verification process are tailored to the individual user based on personal information that is not available publicly, dynamic KBA is much more unpredictable. Companies can also get creative and use information from paid sources, such as business and marketing lists, to generate appropriate questions, making it harder for malicious actors.
What are the cons of dynamic KBA?
However, the drawbacks of dynamic KBA are significant. For instance, the questions asked are not only more difficult but more time-consuming than those used for static KBA identity verification. This is naturally frustrating and causes friction for the user trying to access their account in a hurry. Furthermore, answers to questions sourced for dynamic KBA rely on the user having an exceptional memory and closeness to financial information. In fact, that same Google/Stanford study mentioned earlier discovered that only 55% of people remember their first phone number, let alone their frequent flyer number (only 9%) And, adding extra questions isn’t the answer because the more questions posed, the more likely an individual gets an answer wrong, getting locked out of the account completely, delaying them further.
Moreover, despite a key benefit of dynamic KBA being its unpredictability, it’s not impossible for sophisticated fraudsters to find answers via public data sources. For example, sites like LinkedIn, Facebook and ancestry.com contain a lot more personal information than you might think.
On the other side, not everyone has a significant digital footprint either (read more about data scarcity here). This means it can be very difficult for even the most conscientious and creative of companies to mine data to generate questions.
Why should you find an alternative to KBA?
Once considered the industry standard for identity verification, especially in financial services, KBA is simply no longer enough to protect businesses – and consumers – against fraudsters.
According to a 2021 research report from Aite-Novarica, most financial institutions are reducing their reliance on KBA, with 12% reducing by more than 75% and 18% reducing by up to 50%.
What are the alternatives to KBA identity verification in the digital age?
In the early days of the Internet, before some 65% of the global population was online, KBA offered a decent layer of protection. However, in today’s digital age, the high friction and low levels of security offered by KBA makes it a poor choice.
Luckily, there are a number of alternatives to ineffective KBA identity verification. Let’s look at a few below and their associated pros and cons.
Multi-factor authentication
Multi-factor authentication (MFA) protocols require two (or more) identifiers from users before the user is granted access. Two-factor authentication (2FA) combines any two of the following: something the user knows, something the user has, or something they are. For example, most commonly, 2FA will combine a password and username combination with a unique verification code that is texted/emailed to the user.
Pros: As we have written about extensively when PSD2 ushered in 2FA/Strong Customer Authentication (SCA) for electronic payments, 2FA is secure; should a hacker guess a user’s password, they still cannot access the account as they don’t have the second factor required. It’s also really effective and convenient for consumers who live on their smartphones.
Cons: Entering two or more authentication factors takes time and extra time means friction. Furthermore, fraudsters can find a workaround to MFA. Remember back to Uber’s cyberattack in 2022. Ultimately, because MFA relies on human behavior and decision-making, it is prone to hackers exploiting it. Indeed, NIST has declared SMS-based 2FA insecure.
Database solutions
Database solutions leverage offline, online and social media data, along with behavioral patterns, to verify an identity online and determine if they are a bad actor, a bot or a legitimate user.
Pros: Database solutions can pull from a wide variety of sources for identity verification purposes which, ultimately, can reduce the burden on manual review teams. Better still, when API-based, database solutions are relatively flexible.
Cons: Unfortunately, database solutions often fail to meet compliance/regulatory requirements because they are unable to verify if the user providing the information is actually the same user behind the transaction. This isn’t exactly ideal!
Online identity verification solutions
An online identity verification solution is an automated suite of online tools that allows businesses to verify their users and consumers. The right solution will leverage a powerful combination of artificial intelligence, biometrics and machine learning to not only protect the business and the consumer against fraud but also ensure compliance.
Pros: The right online identity verification solution will deliver a high level of verification assurance and the results are generated in real-time.
Cons: Depending on the solution, some involve an excessive amount of friction, slowing down the identity verification process. For example, the requirement to capture a photo of a user’s ID or take a selfie can slow a transaction or onboard down.
How does Mastercard Identity help businesses with identity verification in the digital age?
Exceptional digital identity verification isn’t just important for compliance reasons, it is vital to keep your business – and your consumers – safe. Mastercard Identity has a seamless, powerful online identity verification solution that balances fraud prevention with customer experience.
Our tools help businesses make quick and accurate risk decisions, expediting the user experience for good customers while still preventing bad actors from using stolen or synthetic identities to gain access. A must in today’s ever-evolving digital economy.
To learn more about how our identity verification solutions can help you combat fraud without impacting your customer experience, contact us today.