Knowledge-Based Authentication


Knowledge-Based Authentication (KBA or Knowledge-Based Verification, KBV) is an Authentication Method and a Authentication Factor.

Static Knowledge-Based Authentication#

Static Knowledge-Based Authentication or Identity questions are nothing more than a Shared Secrets and has been deprecated by NIST.SP.800-63B

Dynamic Knowledge-Based Authentication #

Dynamic Knowledge-Based Authentication is a higher level Of Assurance that uses knowledge questions to verify each Digital Identity, but does not require the person to have provided the questions and answers beforehand.

Dynamic Knowledge-Based Authentication questions are compiled from Public data and private data such as marketing data, credit reports, or transaction history.

To initiate the process, basic identification factors, such as name, address, and date of birth must be provided by the consumer and checked with a Verifier. After the Identity Proofing, questions are generated in real time from the data records corresponding to the Digital Identity provided. Typically the knowledge needed to answer the questions is not available in a person's wallet (some companies call them "out-of-wallet questions"), making it difficult for anyone other than the actual Person to know the answer and obtain access to secured information. Generally the period of time for the person is given to respond to questions and the number of attempts is limited to prevent answers from being researched.

Dynamic Knowledge-Based Authentication is employed in several different industries to verify the identities of customers as a means of fraud prevention and compliance adherence. Because Dynamic Knowledge-Based Authentication is not based on an existing relationship with a consumer, it gives businesses a way to have higher Identity Assurance Level on the Digital Identity during Credential Enrollment or in a Password Recovery condition.

NIST.SP.800-63-3 section 4.3.1 Authenticators#

Knowledge-Based Authentication, where the claimant is prompted to answer questions that are presumably known only by the claimant, also does not constitute an acceptable secret for digital authentication. A biometric also does not constitute a secret. Accordingly, these guidelines only allow the use of biometrics for authentication when strongly bound to a physical authenticator.

Employee Badge#

Several Organizational Entities Ldapwiki has done work with use Knowledge-Based Authentication on their Help Desk or Password Management Applications for Credential Resets. Often the Identity questions answers are readily available on the Employee Badge and perhaps that Bob had a birthday last week. Ldapwiki has long though

Data Breaches#

With the many Data Breaches Knowledge-Based Authentication systems that many organizations use has been compromised. Asking a customer to verify their Digital Identity by confirming their former employers, addresses, or mother's birthdays, when attackers know all that data - plus what magazines they subscribe to and so forth.

More Information#

There might be more information for this subject on one of the following: