Why are we still asking KBA questions to authenticate identity?

Do you remember the name of your second-grade teacher? How about your maternal grandfather’s middle name? If you’ve ever forgotten a password, you’ve no doubt experienced the frustration of Knowledge-Based Authentication (KBA) firsthand when trying to gain access to one of your accounts.

According to a Neustar poll conducted during a recent American Banker webinar, 63% of banks still wholly rely on KBA questions to authenticate a customer. It’s hard to believe that we live in an age where we can fly helicopters on Mars, yet still employ such crude tools to verify a customer’s identity.

It is commonly understood that KBA represents an area of annoyance and friction not just for the users but also for businesses who must protect themselves – and their customers – from fraudulent schemes such as account takeover and identity theft.

The problem with KBA becomes especially dire when considering that most large enterprise organizations outsource their customer service to third-party contact centers. As a result, the employees who staff these contact centers are increasingly being targeted by hacker rings who recognize they are a ripe target for exploitation. This is one of the many reasons why the Federal Financial Institutions Examination Council’s 2021 guidelines strongly recommend against dependence on knowledge-based questions to verify identity.

Given the known weaknesses of KBA and the availability of more sophisticated authentication technologies, why do they continue to persist and what should a modern authentication system look like?

No hacking required

While KBA might have offered a sufficient layer of protection in the early days of the internet, the vast amount of personal information available online and via social media has resulted in its diminished utility.

Even the laziest cybercriminal can find answers to common questions about your personal background with a simple Google search. And for other more personal questions, they don’t even have to do any digging given the willingness of users to offer up this information on social media.

If you spend any time on Facebook, you’ve no doubt seen someone you know pose a seemingly nostalgic question to their feed, like “What was your first car?” Or perhaps someone shared some variation of a harmless quiz in which your Dr. Seuss character can be derived by combining the name of your first pet and the name of the street you grew up on. Put enough of these answers together and suddenly a bad actor has compiled a handy dossier of personal information that they can then exploit to access a consumer’s bank or credit card account.

The risks of KBA questions

The federal government has long acknowledged the risks presented by KBAs and the NIST’s own guidelines expressly disavows KBA for digital applications: “The ease with which an attacker can discover the answers to many KBA questions, and the relatively small number of possible choices for many of them, cause KBA to have an unacceptably high risk of successful use by an attacker.”

Meanwhile a study by Google found that only 47% of people could remember what they put down as their favorite food a year earlier – and that hackers were able to guess the food nearly 20 percent of the time, with Americans’ most common answer (of course) being pizza. And even when a user does remember the correct answer to one of these questions, they sometimes forget the precise form of their answer, all of which leads to a frustrating customer experience.

Protracted verification times inevitably lead to customer abandonment of transactions such as opening a new account, resulting in delayed or lost business. Unsurprisingly, the longer it takes to verify a customer’s identity, the more likely it is they will abandon the process entirely.

This is the fine line that companies must balance: How do you provide a frictionless and streamlined user experience without exposing your business and your customers to fraudulent activities?

Towards a risk-based approach to authentication

Resolving the tension between security and customer experiences requires a new approach – one that puts risk squarely at the center of the authentication nexus. A risk-based approach adapts to a company’s specific authentication policies in real-time. It’s dynamic in that it frequently combines two or more authentication and authorization technologies into a unified approach that delivers the right level of authentication based on the various risk factors present during a transaction.

A risk-based approach abandons the static, single locked gate in favor of a contextual and continuous approach where the method and rigor of authentication is determined by the risk factors present. For instance, if a customer is logging in from a known location, with a reputable device, and is requesting to perform a low-risk activity such as checking the balance on their checking account, you probably don’t need to force them to jump through every single authentication hoop.

Conversely, if a customer is logging into an application from a problematic geographic region and is attempting to transfer funds, such risk factors would automatically trigger a second or third authentication factor such as requiring a biometric check, a user-defined PIN code, or requiring the user to respond to a one-time passcode.

As the old saying goes, context is everything. Being context-aware in this regard involves considering risks near and far while evaluating all the possible risks at the moment of authentication. Seemingly minor contextual factors such as whether the user’s phone has been jailbroken or a device reporting odd screen resolutions on their own may not indicate a high risk, but when those factors are considered in aggregate they could be a strong indicator that something is amiss.

While authentication protocols like knowledge-based questions are not the most hardened security layer, they can still be a useful part of a more robust authentication scheme, provided that risk is being continuously measured across the customer experience. However, minus this context they amount to little more than security theater.