Knowledge-Based Authentication (KBA) is an identity verification method that relies on the user answering personal security questions based on information that only they should know. This sometimes includes information the customer has provided, like the name of their first pet, or information from databases, like selecting a street the customer once lived on or a car the customer once owned. KBA has declined in usage due to vulnerabilities, including public data leaks and the ease of social engineering to obtain this information. KBA can be made more robust when it is combined with biometric authentication, multi-factor authentication (MFA), or passive liveness detection.
Use case/ examples of Knowledge-Based Authentication (KBA)
Account recovery: Verifying user identity through the use of pre-set security questions and/or out-of-wallet knowledge-based questions related to the customer's personal history when resetting forgotten passwords or recovering locked accounts.
Step-up security for high-risk transactions: Including an additional verification layer, like biometric or OTP-based authentication, for sensitive transactions or account changes. This might include large fund transfers or other activities like the use of a new device.