What is knowledge-based authentication?
Knowledge-based authentication (KBA) is an authentication scheme in which the user is asked to answer at least one "secret" question. KBA is often used as a component in multifactor authentication (MFA) and for self-service password retrieval.
Secret questions can be static or dynamic. In a static scheme, the end user pre-selects the questions he would like to be asked and provides the correct answers. The question/answer pairs are stored by the host and used later to verify the end user's identity. In a dynamic scheme, the end user has no idea what question will be asked. Instead, the question/answer pairs are determined by harvesting data in public records.
KBA questions can be factual, like "What city were you born in?" or "What color Ford Mustang was registered to you in New York State in 2002?" or they can be about preferences, like "What is your favorite food?" or "Who was your favorite teacher?" Both static and dynamic schemes rely on the assumption that if someone knows the correct answers to the secret questions, their identity has been confirmed.
Josh Levin explores the problems that KBA poses for end users in the article "In What City Did You Honeymoon?"
Expert Joel Dubin answers the question "Are knowledge-based authentication systems doing more harm than good?"