Knowledge-based authentication (KBA) is an identity verification method that empowers you to verify a customer’s identity using highly personalized “out of wallet” questions.
Knowledge-based authentication, or “KBA,” is an identity verification method in which users are asked one or more personalized questions that are known only to them. KBA is a form of “out-of-wallet” authentication that is often used to lend additional surety to IDV processes that leverage other methods of verification such as identity data or documents.
There are two common types of KBA: static and dynamic. Veratad only uses dynamically-generated questions augmented by machine learning and AI to create highly secure KBA workflows.
Static KBA employs questions based on personal information regarding static details such as addresses or phone numbers, with users required to provide correct answers during the authentication process. However, static KBA’s effectiveness has diminished due to security vulnerabilities such as data breaches and the ease with which bad actors can obtain a user’s answers to static KBA questions.
To address the limitations of static KBA, Veratad leverages dynamic KBA which incorporates context-specific questions that are harder for fraudsters to figure out. Dynamic KBA questions are AI-generated from public and private records collected using the signer’s social security number. They may range from demographic questions to questions related to credit transactions.
Knowledge-Based Authentication (KBA) is commonly used by businesses in industries that require a high level of identity verification and security measures in place. Here are a few examples.
Banks, credit unions, and other financial service and technology providers often utilize KBA to verify the identities of customers during the onboarding process, to facilitate access to online banking, or when conducting high-value transactions.
Sellers of age-restricted merchandise including alcohol, tobacco, gambling, and adult content use KBA to verify customers are of legal age to purchase their products. To enhance accuracy, they often combine KBA with other verification methods.
Businesses operating in the eCommerce sector rely on KBA to prevent fraudulent activities, protect against account takeovers, and ensure the security of online transactions.
Universities and online learning platforms may employ KBA to verify the identities of students during the admission process, secure access to student portals, or prevent academic fraud.
Healthcare providers such as hospitals, clinics, and telemedicine platforms employ KBA to verify patient identities, safeguard medical data, and ensure compliance with data protection regulations.
KBA is often used by insurance providers to validate the identities of policyholders, prevent insurance fraud, and ensure the accuracy of claims processing.
While KBA has faced criticisms and limitations in recent years, it is not accurate to say that knowledge-based authentication is dead or that businesses no longer have use for it. In fact, when employed as part of a multi-layered age and identity verification strategy, KBA can add tremendous value, enhancing assurance and security.
Knowledge-based authentication can be used as one factor in a 2FA setup. After the user provides something they know (e.g., a password), they can be prompted with KBA questions to further validate their identity. This combination adds an extra layer of assurance.
KBA can add an additional layer of security after identification documents have been verified. This combination reduces reliance on documents alone, balances security with user experience, and helps prevent fraud attempts based on stolen or counterfeit documents.
KBA can be used in conjunction with data-based verification methods as an added step. Data verification involves validating an individual’s identity by cross-referencing their provided information against a variety of reliable data sources.
Biometric authentication, such as fingerprint or facial recognition, can be combined with out-of-wallet knowledge-based authentication. Users first provide their biometric data, which is compared to a stored template. If the biometric match is successful, they can be asked KBA questions as an additional layer of assurance.
KBA questions offer an ideal way to reduce friction in processes that can sometimes frustrate customers, such as those associated with onboarding, transactions, and account login. This is primarily because KBA allows users to cycle complete verification steps without needing to reach into their wallet to produce specific documents. This is also what makes KBA easy to deploy as an additional escalation layer when further identity assurance is needed.
Implementing a KBA solution can be complicated without an experienced identity verification provider to help you integrate and deploy it effectively. That said, a typical implementation will include the following steps.
A business identifies its specific use case for KBA and determines where it will be integrated, such as during user onboarding or transactional processes.
Next, they select a reliable KBA provider that offers a robust set of questions and answers based on relevant personal information.
The KBA solution is then integrated, often via an API, into the business’s existing system or application.
During the integration, businesses configure their desired KBA settings, including the types of questions to be asked and the level of security required.
The KBA solution is tested and validated to ensure accuracy and effectiveness.
Businesses monitor and review the KBA implementation to adapt to changing security needs and potential vulnerabilities, ensuring ongoing protection against fraud and unauthorized access.
Every business is unique and sometimes KBA isn’t the most appropriate method for a given verification need. There are several alternatives to KBA that can offer enhanced security and help mitigate some of the limitations associated with KBA, particularly the static variety. Here are a few examples.
Data-based identity verification is a method that involves verifying the identity of individuals by cross-referencing their provided information with reliable data sources, such as public records, credit reports, or government databases.
Document-based verification is a process of confirming the identity of individuals by validating the authenticity and legitimacy of official identification documents they provide, such as passports, driver’s licenses, or ID cards.
Veratad’s smart two-factor authentication adds an extra layer of protection by requiring two different forms of identification for authentication. It typically involves a combination of something the user knows (e.g., a password or PIN) and something the user possesses (e.g., a physical token, mobile device, or fingerprint).
Biometric verification relies on unique biological characteristics or behavioral traits of individuals such as fingerprints, facial recognition, or voice patterns which are captured and compared against pre-registered templates or databases to verify and authenticate their identity.
Effective KBA questions provide an added layer of security, especially when combined with data verification, possession-based document verification, or multi-factor authentication. Our dynamic, out-of-wallet challenge questions are non-intrusive and easily deployed when you need an enhanced authentication solution.
The cost of a KBA solution can vary depending on several factors, including the verification provider, the level of customization and integration required, the volume of transactions, and the specific features and capabilities of the KBA age or identity solution. Pricing models for KBA solutions can differ, such as per transaction, tiered pricing based on usage levels, or subscription-based models. It is recommended for businesses to reach out to KBA providers directly to discuss their specific needs and obtain accurate pricing information tailored to their requirements.
While there has been a shift in the popularity of KBA, it is still regarded as a secure form of ID verification if the personal information used is secure and the connected databases are also properly safeguarded.
Knowledge-based authentication challenge questions come from data associated with an individual. This can be from a credit bureau, a DMV or government entity, a mobile carrier or another secure source. Reputable KBA providers never share data or results with non-authorized individuals.
KBA is used as all or part of an identity verification workflow for user onboarding, a purchase, or another event that requires certainty that an individual is who they say they are. KBA is often used upon escalation after another verification method returns an unclear or negative response, or to provide an additional layer or surety and security.
As is the case for all Veratad’s data verification services, upon completion of a KBA verification transaction, Veratad only stores a “footprint” of each transaction for audit, reporting and compliance purposes. This means that Veratad does not store any sensitive personal information associated with a knowledge-based authentication transaction.
KBA is among the most common identity verification methods deployed by leading companies. It is an effective way to gain or add certainty that an individual is who they say they are, as it relies upon knowledge that only one or a few people would have.
Like any verification method, KBA can add friction to an onboarding or purchase process. When properly deployed, however, KBA represents only a few seconds of a user’s time.
Let Veratad show you what rapid, flexible and integrated identity verification can do for your business.
