knowledge-based authentication (KBA)

Knowledge-based authentication (KBA) is an authentication scheme in which the user is asked to answer at least one "secret" question. KBA is often used as a component in multifactor authentication (MFA) and for self-service password retrieval.

A good KBA question should meet these four criteria:

1. The question should be appropriate for a large segment of the population.

2. The answer should be something that is easily remembered.

3. The question should only have one correct answer. 

4. The answer should not be easy to guess or discover through research. 

KBA questions can be static or dynamic. Both static and dynamic schemes rely on the assumption that if someone knows the correct answers to the secret questions, their identity has been confirmed.

In a static scheme, the end user pre-selects the questions he would like to be asked and provides the correct answers. The question/answer pairs are stored by the host and used later to verify the person's identity. KBA questions can be factual, like "Where did you spend your honeymoon?" or "How many pets do you have?" or they can be about preferences, like "What is your favorite food?" or "Who was your favorite teacher?"  The problem with static KBA questions is that if someone has shared that information on a social media site, the answer can be easily guessed. 

In a dynamic scheme, the end user has no idea what question will be asked. Instead, the question/answer pairs are determined by harvesting data in public records. Examples of dynamic KBA questions are "What was your street address when you were 10 years old?"  or "What color Ford Mustang was registered to you in New York State in 2002?"  Although the answers to dynamic questions could be researched, it would take time -- and time is something the answerer is not given. If the respondent does not answer the dynamic question within a certain time period, the question is discarded and treated as a wrong answer. 




This was last updated in February 2015

Next Steps

Multifactor authentication is one of the most cost-effective mechanisms an enterprise can deploy to protect digital assets. Security expert David Strom explains what you need to think about when writing your business case for a multifactor authentication deployment.

Continue Reading About knowledge-based authentication (KBA)

Dig Deeper on Password management and policy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

In today's world, are secret questions still an effective authentication tool?
I think they are fine for some applications or sites where the information they are helping to protect is not of a critical nature, such as forums, etc., although I disfavor the use of static questions due to their limited, and often guessable, scope. But I do not think they are adequate for other situations, such as banking sites. I would much rather rely on strong passwords and even two-factor authentication as opposed to having to use something as discoverable as my mother’s maiden name to recover a password or log in.
Secret questions are a useful tier for authentication validation but are not a be-all, failsafe for today's modern online world. Having a set of user questions is effective but over the last couple of years have shown to be susceptible to hacking and decryption. One of the better methods and alternatives is now pass phrases. The user creates a phrase that acts as the authentication method and has been shown to be hard to crack.
In my opinion only if they question and answer are provide by the user. Picking for a list of per defined secret questions kike mother maiden name is not all that secure any longer with identity theft on the rise. Also questions like asking for a school or city. A lot of this can be found on social media sites.
Let the user pick a question like first girl I kissed or color of first bike.
Just got done with USAA Insurance and was told they are using KBA for Security and for Information Data Mining? And, it is being used by non-accredited unbonded employees who verify your personal Privacy... Who, has sold Banks Insurance Companies and Investment companies this Strategy? We are being Confirmed or Denied in a Business Manner? They asked about Properties I Own or used to own and are obviously "Evaluating My Worth"!!! They claim the KBA System is Priority to them in that I do not need to know who the System is from? Who, sells this KBA System so that Banks, Insurance and Investment Folks can Data Mine and Means Test us all???