Knowledge-based authentication

Knowledge-based authentication, commonly referred to as KBA, is a security method used to protect personal information. It verifies the identity of a person before granting access to certain information or Web sites. Like the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. KBA is used in two very different forms.

Static KBA, also referred to as shared secrets or shared secret questions, is commonly used by banks, financial services companies and e-mail providers to prove the identity of the customer before allowing account access. At the point of initial contact with a customer, a business using static KBA must collect the information to be shared between the provider and customer, most commonly the question(s) and corresponding answer(s). This data then must be stored, only to be retrieved when the customer comes back to access the account. Static KBA came under fire in the fall of 2008 when a person hijacked the Yahoo! account of former Alaska Governor Sarah Palin. The account was secured with the shared secret question, “where did you meet your spouse?” Using the correct answer, along with the date of birth and zip code of the former governor the information was compromised. Some identity verification providers have recently introduced secret sounds and/or secret pictures in an effort to help secure sites and information. These tactics require the same methods of data storage and retrieval as secret questions.

Dynamic KBA is a high level of verification that also uses knowledge questions to verify each individual identity, however this method requires no previous contact. This is because the questions are generated on the fly and based on information in a consumer’s personal aggregated data file (public records), complied marketing data or credit report. To initiate the process, basic identification factors, such as name, address and date of birth must be provided by the consumer. Then questions are generated in real-time from the data records corresponding to the individual identity provided. Typically the knowledge needed to answer the questions generated is not held in a wallet (some companies call them out-of-wallet questions), making it difficult for anyone other than the actual identity to know the answer and obtain access to secured information. Dynamic KBA is employed in several different industries to verify the identities of customers as a means of fraud prevention and compliance adherence. Because this type of KBA is not based on an existing relationship with a consumer, it gives businesses a way to have higher identity assurance on customer identity during account origination.

• identity verification service

1. Varghese, Thomas. “Addressing Red Flags Compliance”. SC Magazine, Jan. 28, 2009. http://www.scmagazineus.com/addressing-red-flags-compliance/article/126529/. Retrieved 9/15/09.
2. Diodatt, Mark. “Static KBA: Lipstick on the Weak-Authentication Pig.” Burton Group; Identity and Privacy, Sept 19, 2009. http://bgidps.typepad.com/bgidps/2008/09/static-kba-lips.html. Retrieved 9/15/09.
3. Gartner Market Overview, Sept. 26, 2008. http://www.gartner.com/DisplayDocument?id=765532. Retrieved 9/15/09.

This article has not been added to any content categories. Please help out by adding categories to it so that it can be listed with similar articles. (September 2009)