Knowledge-Based Authentication (KBA) Explained

Javed Shah

Knowledge-Based Authentication (KBA), is a security measure used to verify a person’s identity by asking them to provide specific information that only they should know.
How Does Knowledge-Based Authentication Work?
The idea is that these questions serve as a block for other individuals who should not know the user’s private information but which the user has immediate knowledge of (and does not have to memorize).

KBA questions can be generated in two primary approaches: static and dynamic.

Static KBA
Static approaches involve selecting a set of predetermined questions that users can choose from when setting up their KBA. These questions are often personal, referring to highly personalized experiences or preferences that would be difficult for an attacker to guess without directly knowing the user.

Examples of static KBA questions include:

  • What is your mother’s maiden name?
  • What was the name of your first pet?
  • In what city were you born?
  • What is your favorite book?

These questions are typically selected during user onboarding. Later, when the user accesses the account, they are asked to provide the answers to those same questions.

Dynamic KBA
Dynamic approaches, as a form of adaptive authentication, will generate questions based on information from various data sources tied to the user, such as public records, credit reports, or social media profiles. The system uses algorithms to select relevant, personalized questions only the user should know. Examples of dynamic KBA questions include:

  • Which of the following addresses have you lived at in the past?
  • What was the name of your elementary school?
  • Which of these phone numbers have you previously used?
  • What bank/financial institution/auto lender do you have a loan/bank account/credit account with?

The generation process for dynamic KBA questions typically involves data aggregation and analysis to create a set of potential questions.

Both static and dynamic KBA have their pros and cons, with static KBA being more straightforward to implement but potentially less secure due to the limited set of questions. Dynamic KBA is more secure since it generates personalized questions based on the user’s unique background. Still, it requires access to reliable data sources and can be more complex to implement.

How Effective Is Knowledge-Based Authentication?

KBA can provide a reasonable level of security in cases where it is used with other authentication methods. As a standalone method, however, it has some limitations.
Some of the critical issues with KBA include:

  • Guessable Answers: Answers to static KBA questions may be easy to guess or research using publicly available information, such as social media profiles, online directories, or leaked data from breaches. This makes KBA more susceptible to attacks by determined adversaries.
  • Data Breaches: If an organization suffers a data breach, the answers to KBA questions may be compromised, rendering the KBA process ineffective for affected users.
  • Knowledge and Memory: Users might need to remember their answers, leading to account lockouts and frustration. Additionally, users might give easy-to-guess or common answers that are easier to guess.
  • Social Engineering: Attackers can use techniques like phishing or pretexting, to trick users into revealing the answers to their KBA questions.

Due to these limitations, KBA is generally considered less secure than other authentication methods like multi-factor authentication (MFA) or biometrics. While it can still serve as an additional layer of security, organizations are increasingly adopting more advanced and secure authentication methods to protect user accounts and sensitive information better.

Is Knowledge-Based Authentication Used in Multi-Factor Authentication?

MFA requires users to present multiple factors to verify their identity before granting access to a system, application, or resource.

These factors are typically classified into three categories:

  • Knowledge: This factor includes information that only the user should know, such as passwords, personal identification numbers (PINs), or answers to knowledge-based authentication (KBA) questions.
  • Possession: This factor involves something the user physically possesses, such as a hardware token, a one-time password (OTP) sent to a registered mobile device, or a software token generated by an authenticator app.
  • Inherence: This factor refers to biometric characteristics unique to the user, such as fingerprints, facial recognition, voice recognition, or iris/retina scans.

Knowledge-based authentication can fit into the knowledge category. But, broadly, KBA isn’t a replacement for passwords or PINs. However, and more appropriately, KBA can provide another, easy-to-implement layer on top of MFA.

So, for example, if a user attempts to access their credit report, the provider can ask for a password and a one-time password sent via email. Then, when the user logs in, the provider can use dynamic KBA to ask questions related to the credit report, adding another layer of security to an incredibly sensitive document.

What Are Some Alternatives to Knowledge-Based Authentication?

Several alternatives to Knowledge-Based Authentication (KBA) provide more secure and reliable methods for verifying a user’s identity. Some popular alternatives include:

  • Token-Based Authentication: One-time passwords are unique, time-sensitive codes generated by a dedicated hardware token, mobile device, or software application. The user must enter the OTP in addition to their standard password to authenticate their identity. Since OTPs expire after a short period or upon use, they offer a more secure alternative to KBA.
  • Device Authentication: Verification systems can use push notifications or apps to allow users the ability to authenticate via their device, typically a mobile device. While these devices can be compromised, they will, at minimum, greatly reduce the attack surface that could impact those users.
  • Biometrics: Biometric authentication relies on unique physical or behavioral characteristics, such as fingerprints, behavioral biometrics, or facial scans, to verify a user’s identity. Biometric authentication is more secure than KBA because it is based on features unique to the individual, making it difficult for attackers to spoof.

These alternatives offer varying levels of security, usability, and implementation complexity, depending on the specific use case and the organization’s requirements. Many organizations opt for a combination of these methods to provide a more robust and secure authentication process.

Ground Your Security in Identity-Based Authentication with 1Kosmos

Knowledge-based authentication is a useful companion to other forms of identity verification but only a small part of it. Implementing such solutions can help add layers of security but don’t serve as a replacement for solid security techniques like identity verification, biometrics, and passwordless authentication.

1Kosmos provides these critical fundamentals through the following features:

  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain and encrypts digital identities and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.
  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.

Sign up for our newsletter to learn more about how BlockID can support real security and help mitigate phishing attacks. Also, read our whitepaper on how to Go Beyond Passwordless Solutions.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.