Overview#
Knowledge-Based Authentication (
KBA or
Knowledge-Based Verification,
KBV) is an
Authentication Method and a
Authentication Factor.
Static Knowledge-Based Authentication#
Static Knowledge-Based Authentication or
Identity questions are nothing more than a
Shared Secrets and has been
deprecated by
NIST.SP.800-63B
Dynamic Knowledge-Based Authentication #
Dynamic Knowledge-Based Authentication is a higher
level Of Assurance that uses knowledge questions to verify each
Digital Identity, but does not require the person to have provided the questions and answers beforehand.
Dynamic Knowledge-Based Authentication questions are compiled from Public data and private data such as marketing data, credit reports, or transaction history.
To initiate the process, basic identification factors, such as name, address, and date of birth must be provided by the consumer and checked with a Verifier. After the Identity Proofing, questions are generated in real time from the data records corresponding to the Digital Identity provided. Typically the knowledge needed to answer the questions is not available in a person's wallet (some companies call them "out-of-wallet questions"), making it difficult for anyone other than the actual Person to know the answer and obtain access to secured information. Generally the period of time for the person is given to respond to questions and the number of attempts is limited to prevent answers from being researched.
Dynamic Knowledge-Based Authentication is employed in several different industries to verify the identities of customers as a means of fraud prevention and compliance adherence. Because Dynamic Knowledge-Based Authentication is not based on an existing relationship with a consumer, it gives businesses a way to have higher Identity Assurance Level on the Digital Identity during Credential Enrollment or in a Password Recovery condition.
Knowledge-Based Authentication, where the claimant is prompted to answer
questions that are presumably known only by the claimant, also
does not constitute an acceptable secret for digital
authentication. A
biometric also does not constitute a
secret. Accordingly, these guidelines
only allow the use of biometrics for
authentication when strongly bound to a physical
authenticator.
Several
Organizational Entities LDAPWiki has done work with use Knowledge-Based Authentication on their
Help Desk or
Password Management Applications for
Credential Resets. Often the
Identity questions answers are readily available on the
Employee Badge and perhaps that
Bob had a birthday last week.
LDAPWiki has long though
With the many
Data Breaches Knowledge-Based Authentication systems that many organizations use has been compromised. Asking a
customer to verify their
Digital Identity by confirming their former employers, addresses, or mother's birthdays, when
attackers know all that
data - plus what magazines they subscribe to and so forth.
There might be more information for this subject on one of the following: