KBA Is Making Your Business and Customers Vulnerable- Here’s Why

You might have heard of knowledge-based authentication or KBA. In short, it’s a type of authentication that requires you to verify your identity based on personal information known by you. For example, when you login to an account, or reset your password, there’s usually a question like “What was your first pet’s name?” KBA questions should also have only one correct answer and be hard to guess or discover the answer to via research.

There are three different forms of KBA: Static, dynamic, and enhanced KBA. 

  • Static KBA allows users to choose their own security questions and answers. These questions can include, for example, “What is your mother’s maiden name?” or “What city did you grow up in?” 
  • Dynamic KBA uses questions that are based on the public records or credit history of an individual; these questions are generated in real-time. These questions are known as “out-of-wallet” questions because the information asked cannot be easily found in someone’s wallet. Questions can include “Which of these addresses is not somewhere you’ve lived?”
  • Enhanced KBA uses both static and dynamic questions, as well as other methods, including biometrics like fingerprints or facial recognition technology.

This system is utilized extensively for authentication in many industries and applications and is fairly easy to deploy at a nominal cost. Unfortunately, it isn’t always the optimal solution, especially as fraud techniques become more sophisticated. We’ll elaborate on that further in the sections ahead.

KBA isn’t foolproof, and the threats to your info are only increasing

If you think that KBA is foolproof, you’re wrong. KBA can be broken, and malicious users can bypass it.

KBA is not a one-size-fits-all solution because the information provided in the answers to these questions, like social security numbers and dates of birth, can be found on the Internet. Identity thieves are waiting for people to leave breadcrumbs on social media or have access to their private lives through friends who post photos of them online. 

This means that anyone with a keyboard can answer your security questions by using Google search engines or reading public posts on Facebook and other social networks where people share their personal information freely without realizing it could be used against them one day.

Additionally, there is a limited number of questions any system can use. Couple this limitation with the millions of Americans who have had their personal details stolen via data breaches and the third-party data aggregators that sell the information used for KBA questions, and the risk that these questions are easily guessed by bad actors is high.  

Social media leaves KBA breadcrumbs for identity thieves

Social media is a treasure trove of personal information that anyone with an internet connection can easily access.

Thanks to search engines, it’s easy to find out more about someone based on their social media profiles — especially if they don’t have any privacy settings in place or don’t use them effectively (which happens frequently).

That means that all an attacker has to do is look up a person’s name and see what comes up for them to get an idea as to who they are, where they live and work, and what other accounts they might have had access to. Then a bad actor can start digging around those accounts until they find something valuable enough for them to use against us down the line when they attack directly or try taking over someone’s identity during some identity theft scam involving stolen credentials or credit card information taken from previous victims whose data was compromised during one such attack.

Most social media users leave breadcrumbs for identity thieves by sharing information on social media. In fact, many people don’t even realize it. When your LinkedIn profile says that you studied at a particular university, hackers can use that information to steal your identity. The same goes for other things like pictures, posts, and comments – they’re all data points that can give away who you are and what’s important to you.

The problem is that these services aren’t under our control: we can’t stop people from seeing what we share with them or stealing this information to impersonate us online (or even offline).

KBA’s fail rates are a cause for concern

KBA is not foolproof: A KBA’s fail rate will always be higher than that of a password since it relies on information that can be easily obtained. Any information shared publicly on social media (such as a birthday, pet’s name, etc.) or in other public forums can be used by hackers to break into accounts. The issue of high risk for attack and data breaches has led to the NIST no longer recognizing KBA as an acceptable authenticator.

KBA is not easy to use: Unlike passwords which allow users to create their unique code every time they log in, KBA requires users to provide answers based on facts they already know or remember. This can be challenging because people often struggle with recalling accurate details from long-ago events and experiences. In fact, Gartner reported that between 10 and 15% of legitimate customers experience fail rates due to forgotten passwords, making for a frustrating experience and a higher rate of manual reviews for the companies using this method.  

KBA friction often leads to fewer conversions

When it comes to security and user experience, the battle is always one of balance. If you make something secure enough that no one can break it, it will be so difficult to use that few people can—or want to—complete a transaction. Questions increase in difficulty, and so will user drops. 

The same goes for the opposite of the above statement: If you make something easy enough to use, there’s nothing stopping fraudsters from taking advantage of your system.

KBA is ineffective at preventing fraud, and it simultaneously frustrates legitimate users with cumbersome authentication processes and a plague of forgotten answers to questions. KBA often sees an increased number of customer drop-offs, impacting a business’s bottom line.


KBA may not be foolproof by itself (or even with other methods), but its widespread adoption is still costing businesses time and money every day — time which could be spent fighting fraud instead of wasting resources on inefficient and ineffective solutions. In fact, according to a 2021 AiteNovarica report, a growing number of financial institutions are leaving KBA behind completely as KBA’s high friction and lower security levels make it a poor choice in the digital realm.

Upgrading won’t work for KBA

Even if a KBA system is upgraded, it still falls prey to the data breaches, social media vulnerabilities, and fraud concerns that are mentioned above. Fraudsters love the vulnerability of this data. 

Asking someone to enter their username and password every time they want access to something is not scalable or dynamic, especially when we live in an environment where technology changes frequently. It also means that there will always be human errors when using these types of authentication methods.

Next-gen technology is the answer to ineffective KBA

As we move forward in online security, it’s increasingly clear that KBA is not the best solution for most organizations. It has its place, but it’s clear that a variety of other options offer better solutions. This includes comprehensive, multi-level fraud-fighting technology approaches that streamline user experience while keeping information safe.

The answer to ineffective KBA is multi-factor authentication (MFA) technology. Advances in biometrics, machine learning, and our own mobile devices have made alternatives more appealing to consumers with easy transaction processes while also ensuring personal information is kept private. For businesses, this technology means better security and less fraud- which is good for the bottom line.

Digital identity verification platforms utilize machine learning and AI to determine a person is who they say they are via document-centric checks and/or biometric authentication.

Harnessing the power of MFA

MFA (multi-factor authentication) boasts a higher level of security and ease of use than KBA alone. MFA can be used with passwords, biometrics, or even blockchain. As the name suggests, MFA utilizes multiple factors- something you know (like a password or pin), something you have (like a phone or token), and/or something you are (like a fingerprint or facial scan). 

MFA has distinct advantages over KBA and passwords. When your password gets hacked by a hacker or someone who knows you, they can change all your other accounts if they have access to them too. But with MFA, a stolen password is only one piece of a puzzle necessary to break into your account; they can’t create the additional authentication factors, especially if they’re biometric.

Biometric authentication technology can help

Biometric authentication can include fingerprints, voice recognition, selfie scans, and more. Today, facial biometric technology is a fast, simple way for users to authenticate themselves without cumbersome KBA or a high risk of fraud.

The most significant advantage of biometrics is that it doesn’t require memorization or typing in a password to authenticate yourself. It’s also more convenient than traditional two-factor authentication since you can use your face or fingerprint to log into a device without pulling out your phone and entering a code before getting through security at the airport.

How it works: Your unique biological features act as proof that you’re you—in this case, your selfie—and they’re not as easily stolen as passwords and KBA questions and answers, especially when used in combination with other authentication methods like MFA. In addition to being more resistant to fraud, they provide a business with better confidence that a person is who they say they are and meet KYC requirements. 

Easily Replace KBA

The team at AuthenticID can show you how easy it is to replace your legacy KBA system with one that is safer and offers a better user experience for your customers- meaning you’ll see operational expense savings and a real impact on your bottom line. Contact us today to see our fully automated identity verification solutions in action.