Knowledge-based authentication
Encyclopedia
Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information.
The weakness of static KBA was demonstrated in an incident in 2008
where unauthorised access was gained to the e-mail account of former Alaska Governor Sarah Palin
. The Yahoo!
account's password could be reset using shared secret questions, including "where did you meet your spouse?", along with the date of birth and zip code of the former governor, to which answers were easily available online.
Some identity verification providers have recently introduced secret sounds and/or secret pictures in an effort to help secure sites and information. These tactics require the same methods of data storage and retrieval as secret questions.
To initiate the process, basic identification factors, such as name, address and date of birth must be provided by the consumer. Then questions are generated in real-time from the data records corresponding to the individual identity provided. Typically the knowledge needed to answer the questions generated is not held in a wallet (some companies call them "out-of-wallet questions"), making it difficult for anyone other than the actual identity to know the answer and obtain access to secured information.
Dynamic KBA is employed in several different industries to verify the identities of customers as a means of fraud prevention and compliance adherence. Because this type of KBA is not based on an existing relationship with a consumer, it gives businesses a way to have higher identity assurance on customer identity during account origination.
Static KBA (Shared Secrets)
Static KBA, also referred to as "shared secrets" or "shared secret questions", is commonly used by banks, financial services companies and e-mail providers to prove the identity of the customer before allowing account access, or as a fall-back if the user forgets their password. At the point of initial contact with a customer, a business using static KBA must collect the information to be shared between the provider and customer, most commonly the question(s) and corresponding answer(s). This data must then be stored, only to be retrieved when the customer comes back to access the account.The weakness of static KBA was demonstrated in an incident in 2008
Sarah Palin email hack
The Sarah Palin email hack occurred on September 16, 2008, during the 2008 United States presidential election campaign when the Yahoo! personal email account of vice presidential candidate Sarah Palin was subjected to unauthorized access...
where unauthorised access was gained to the e-mail account of former Alaska Governor Sarah Palin
Sarah Palin
Sarah Louise Palin is an American politician, commentator and author. As the Republican Party nominee for Vice President in the 2008 presidential election, she was the first Alaskan on the national ticket of a major party and first Republican woman nominated for the vice-presidency.She was...
. The Yahoo!
Yahoo!
Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California, United States. The company is perhaps best known for its web portal, search engine , Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Groups, Yahoo! Answers, advertising, online mapping ,...
account's password could be reset using shared secret questions, including "where did you meet your spouse?", along with the date of birth and zip code of the former governor, to which answers were easily available online.
Some identity verification providers have recently introduced secret sounds and/or secret pictures in an effort to help secure sites and information. These tactics require the same methods of data storage and retrieval as secret questions.
Dynamic KBA
Dynamic KBA is a high level of verification that also uses knowledge questions to verify each individual identity, but requires no previous contact. This is because the questions are generated on the fly and based on information in a consumer's personal aggregated data file (public records), complied marketing data, or credit report.To initiate the process, basic identification factors, such as name, address and date of birth must be provided by the consumer. Then questions are generated in real-time from the data records corresponding to the individual identity provided. Typically the knowledge needed to answer the questions generated is not held in a wallet (some companies call them "out-of-wallet questions"), making it difficult for anyone other than the actual identity to know the answer and obtain access to secured information.
Dynamic KBA is employed in several different industries to verify the identities of customers as a means of fraud prevention and compliance adherence. Because this type of KBA is not based on an existing relationship with a consumer, it gives businesses a way to have higher identity assurance on customer identity during account origination.