If you are wondering what is knowledge-based authentication or KBA, let me ask you a question, ‘what is your pet’s first name?’. If you know the answer to this question, congratulations, you are who you say you are. Because such questions are asked to verify someone’s identity before entering a platform online, and if the person in question is real, he would know the answer or let’s say would have the knowledge, such questions are commonly known as KBA questions. This information about a person can be easily found online. After experiencing the vulnerability of such questions, the world is moving towards stricter yet efficient measures for granting access.
The Basics of Knowledge-Based Authentication or KBA
A dynamic KBA question system has four elements;
- The question should be suitable for a large population
- The user should easily be able to remember the answer
- There should be one correct answer
- Others should not be able to guess it
Going through this list alone reveals that many of these ‘barriers’ can be easily overcome. The premise is that if someone (or anyone) answers these kba questions correctly, their identity is verified. But this could be ‘anyone’ answering them correctly.
What Went Wrong with KBA
Knowledge based authentication is considered one of the most common and easiest ways to verify identity online, used by various institutions. Even though it was contemplated as secure, because of continuous online data breaches and increasing cyber security standards, kba questions was viewed as the weakest verification system, so to speak.
Also, since social media has spread like wildfire, finding personal information about a person has become easier. Let’s look at four ways why knowledge based authentication through kba questions is a weak security measure;
- Easy to Find information on Social Media
It is becoming very easy to find information about a person on social media. The more they engage online the more ‘crumbs’ they leave for identity thieves. Go to LinkedIn to find where a person works, visit Facebook to find out the movies they like, search a Twitter handle to see their political affiliations, and the list goes on. These breadcrumbs are answers to dynamic kba questions and can easily be breached.
- Information is for Sale
There are only a finite number of kba questions circulating the web. Figuring things out about someone is not that hard. After hacking a website, the hackers can put the stolen information up for grabs for the black market. Pay the right price and quickly get access to someone’s personal information.
- Agonizingly Slow User Login Process
Every online portal performs a balancing act between usability and security. Put in place KBA questions and it slows down the entire online experience. The more rigid the authentication process the more chances that the customers will leave an unfinished form. This means fewer sales for an e-commerce website.
- KBA – The All-Access Pass
The old form of KBA used to give access after answering the security questions. The problem was that once access was granted it was like giving a kid the keys to a candy store. The identity thief had access to everything. There should be different checks and different levels of security to those checks. Changing your profile picture does not carry the same risk as transferring $1000 into someone’s account.
What about KBA 2.0?
Upgrading the old system won’t solve the problem. Authentication here is through kba questions, which is becoming easy to acquire. Just look at your email spam folder. Probably you’ve never even heard of those companies but they still found out about you and your interests anyway.
Modern forms of Verification
- Facial Recognition
The authentication trend has gravitated towards facial recognition. It is very difficult to appear as someone else in front of the camera. Even attempts of holding up a picture in front of the camera to fool the system are being thwarted by modern technology.
Facial recognition is becoming increasingly popular, specifically with banks. Not only that the banks are using it to give access to accounts but there have been pilot projects for onboarding with it. They are constantly on the hunt for the best online verification services.
- Securing Identity with a Chain
The year 2017 saw the rise of cryptocurrencies. Bitcoin reached an unprecedented high. This wave also highlighted the technology that runs the cryptocurrencies, the blockchain. Better to address a misconception before proceeding.
Blockchain technology is not confined to cryptocurrency, it is a cryptic form of networking. Once this open ledger is in place it can be used for communication, monetary transactions, smart contracts, and many other things.
The key feature of blockchain is that it protects your digital identity. It is ingrained with a digital watermark that is unique to you. Every transaction that you carry out is performed with it, it can’t be stolen.
The bottom line
Knowledge-based authentication is slow, unsafe, and quite vulnerable to attacks. Deep learning and artificial intelligence-based services are readily replacing dynamic kba questions. These are much faster and safer. With API, they easily integrate with websites and smartphone applications. Going forward solutions such as facial verification and liveness tests will become common.
Even though knowledge based authentication is considered unsafe, in some cases Kba questions can be advantageous. Companies having sensitive user data can develop their own dynamic kba questions. Using kba questions with behaviour analysis can be beneficial, behaviour monitoring can detect unusual customer behaviour patterns, while they are filling in the form. But since technology is constantly advancing, it’s time to adopt a better, more robust solution according to your current security protocols and needs.