Making Knowledge Based Authentication (KBA) Work!

Many people are familiar with knowledge-based authentication (KBA), but probably not by name.  You know it when you visit your bank site and you have to tell them the name of your pet in order to get in.  Sound familiar now?

Authentication is broken down into three forms:

  1. Something you have – grid card, cell phone, dongle
  2. Something you know – password, answers to questions, personal information
  3. Something you are – fingerprint, eye retina

Using more than one form of authentication is known mult-factor authentication.  KBA is “something you know” and in conjunction  with using a password increases the strength of authentication.  KBA is then further broken into two more categories:

  1. Static – these questions are setup during registration and rarely change.  Example: What is your favorite ice cream?
  2. Dynamic – these change often based on activities or transactions you may have recently conducted.  Example: How much was the last purchase on your credit card?

For this discussion, I’ll focus on Static KBA.  In theory, Static KBA is great way to increase authentication strength.  In addition, you could reduce the number of helpdesk tickets and increase the productivity of employees and third-party partners.  While there are immediate benefits, there also are several challenges to implementing this properly.

Question Selection

This may seem like a slam dunk, but — selecting the questions for your KBA implementation is the single most important item you’ll have to cover.  With the advent of social media, previously private information is now semi-public.  What’s the name of your favorite pet?  I’m sure someone in your social circle can track it down.  GoodSecurityQuestions.com created a great framework for developing KBA questions.  These guidelines are to help you form questions that are Safe, Stable, Memorable and Definitive (SSMD).    A full guide on following these guidelines can be found here.

Policy Implementation

Gartner touted that User Experience (UX) is a major factor in how customers interact with companies online.  The first impression of your customer’s UX is set with your authentication policies.  Here are the key considerations when forming a KBA policy.

  • Number of Questions During Registration
  • Number of Questions During Authentication
  • Number of Tries Before Lockout
  • Case Sensitivity of Answers
  • Answer Length
  • Soundex Matching for Misspellings

Here is a list of “gotchas” that also need to be built into your policy.

  • Same Answer for Multiple Questions
  • Answer can’t be a word from the question
  • Answers can’t be PII – name, SSN, etc.
  • Answers should be limited to one word

The last word on policy implementation is to implement the same KBA repository across multiple platforms.  Having users register for multiple questions, multiple times defeats the purpose of implementing this in the first place.

Static KBA can’t be “Static”

LexusNexis and other knowledge brokers were recently breached.  The extent of what information was disclosed during this time if still unknown.  As more private and semi-public information goes public on the internet, hackers are busy building ways to monetize your personal information.    This coupled with information stolen from Knowledge Brokers is a sure fired recipe for identity theft.

Be vigilant and audit your authentication policies every three months or when an adverse event occurs.  This will allow you to be agile in how you respond to market conditions.