Consider a system that asks personal questions to verify your identity when you’re trying to log in or change your password. The questions are often related to your personal experiences, like, “What was the name of your first school?” or “What was the first movie you watched in a theatre?” Though the system presumes that only you know the answer to such security questions, are you sure no one else knows the answers?
What is knowledge-based authentication?
KBA, also known as knowledge-based verification (KBV), is an authentication method that asks users to answer predefined or dynamically generated questions to confirm they are who they say they are, especially when logging in to their accounts or performing critical functions like financial transactions or changing account passwords.
The primary idea behind KBA is that personal questions and answers are meant to keep people from using others’ accounts without their consent. It only allows the intended users to gain access by answering questions about something they know by heart and wouldn’t struggle to recall.
Static vs. dynamic knowledge-based authentication
There are two ways KBA is typically implemented to protect user accounts from unauthorized access:
- Static KBA: Static KBA refers to the setting up of pre-defined security questions and answers by users when they sign up for a new account. These questions can be used later to prompt the users for answers when the need for verification arises. These questions usually include highly personalized information regarding the user’s life, such as their favorite author’s name, first pet’s name, birth city or other criteria.
- Dynamic KBA: In this KBA method, the system generates questions based on user data. For example, questions could be related to a user’s financial transactions, cities they lived in, previous addresses and previously owned vehicles. For this technique to work, the system requires access to past and present data that users are privy to and that can’t be easily known by others.
The pitfalls of knowledge-based authentication
At this point, knowledge-based authentication (KBA), has been around for over two decades. It’s typically considered a weaker authentication method since it uses information that cybercriminals could potentially steal or decipher.
Even the National Institute of Standards and Technology (NIST) has denounced the use of KBA in its Special Publication 800-63-3, declaring the security information as “often very weak.” The report also mentioned that “[personal information] does not constitute an acceptable secret for digital authentication.”
Knowledge-based verification has been used by organizations for a long time to secure user accounts. Though it is still used, it certainly has some serious downsides, prompting organizations to move away from it as an authentication factor.
The key disadvantages of knowledge-based authentication
Potentially easy-to-access information
Nowadays, people’s personal information, which they use for KBA, can be easily accessible through social media accounts or information acquired from other data sources. Bad actors can also gain this information using social engineering attacks like phishing, smishing, whaling and more. In fact, in at least one-fifth of cases, they simply guess the right answers, bypassing the KBA system effortlessly. Other forms of information sharing are common as well. Think about the information available about you from the bumper stickers on your car. How many children you have with a stick figure family, where your honors child goes to school, perhaps your political alignment. All of these can give clues to your security questions.
Poor user experience
Another drawback is the fading nature of users’ memories. For instance, most people have trouble recalling what they ate last night, let alone what they put as their favorite food for KBA years ago. A Google study found that after just a year, there is only a 47% success rate for getting the question about their favorite food right. This poor experience also encourages users to use the same information across multiple applications. It’s possible that if someone knows your mother’s maiden name and the name of your first pet that they can reset your password and control your account.
Data privacy and inaccuracy concerns
While it is stronger than its static counterpart, dynamic KBA can be seen as meddling with people’s private financial and historical data. It might use inaccurate or forgotten information, locking users out of their own accounts. Plus, it might not work for users whose data is not available to generate questions. For example, during a very active time in my life I moved four or five times a year. These addresses were extremely temporary for me. They often come up in dynamic knowledge-based questions I am asked to verify my identity and frankly, I don’t remember them and am forced to guess.
Vulnerability to data breaches
Many users reuse security questions and answers across multiple accounts, just as they reuse passwords. Let’s say attackers gain access to the KBA information through a successful data breach of an organization. With the information they have gained from the previous breach, they now have necessary information that could be used to compromise users’ other accounts, too.
Alternative authentication methods
Since KBA is becoming less effective, many technology standards organizations, such as NIST, NSA and CISA, have listed it as a less secure factor. So, what are alternatives that organizations can look for?
MFA
MFA, short for multi-factor authentication, requires users to verify themselves with two or more authentication factors. Since passwords use the knowledge factor and are not adequately secure, MFA adds factors such as a fingerprint, one-time-password, physical token, number matching, trusted device or push notification for stronger authentication.
However, according to Verizon’s 2024 DBIR, attackers used stolen credentials to execute nearly 40% of data breaches in 2023. Since implementing MFA often uses passwords as the first authentication factor, users are still required to memorize passwords. This leads to users reusing a password for multiple accounts or even forgetting passwords completely, resulting in delays and increased costs associated with Help Desk password reset calls.
Not only that, but static MFA is also vulnerable to many attack techniques, such as phishing, MITM attacks, credential stuffing, vulnerability exploitation, SIM swapping and more. That’s why it is essential for organizations to implement stronger authentication techniques to prevent unauthorized access more effectively.
Biometric authentication
This authentication technique uses difficult-to-spoof physical or behavioral characteristics of users, such as fingerprints, facial scans, retinal or iris scans and voice recognition. It works by comparing the captured data with previously stored records for identity verification.
While it’s challenging to hack a biometric authentication system, it’s not entirely impossible. For instance, cybercriminals may fool a fingerprint scanner by using advanced AI algorithms to produce fake fingerprints identical to those of a genuine user.
One way around this problem is to use a multimodal biometric authentication system that employs multiple biometrics to verify users, making it very hard to spoof. Another way is to use a combination of physical and behavioral authentication for stronger security, which involves the analysis of user behavior in addition to biological characteristics to grant or deny access.
Although the biometric system can be breached, very few bad actors have the resources to do so, making it a much better option than KBA. In almost all cases, it accurately allows you to confirm whether a person is who they claim to be. In addition, since it does not require users to remember passwords or security Q&As, it can offer a more seamless user experience.
Behavioral authentication
This technique uses advanced machine learning (ML) algorithms to verify users based on their behavior when they use their devices or interact with applications. The verification system logs each user’s unique way of doing things, such as typing speed, touchscreen swiping style, mouse movements, accessing specific resources and the like. It compares them with previously recorded user behaviors to confirm their identity.
Also known as ‘behavioral biometrics,’ this method improves the accuracy of identifying trusted users and threat actors. It is considered better than KBA since it’s nearly impossible to fake or mimic a user’s unique behavioral traits. It can also be used as an additional factor in the MFA system to strengthen your overall identity and access management (IAM) strategy instead of just relying on weak and stealable passwords.
Moreover, this technique can be enhanced when combined with adaptive risk-based authentication (RBA).
Advanced authentication
Advanced authentication, also known as context-based or risk-based authentication (RBA), this is yet another robust alternative to KBA. It uses machine learning to verify identities by determining login attempt risks in real time. It works by continuously monitoring and recording the login behaviors of users and creating each user’s behavior profile through machine learning based on typical actions they perform and the environment in which they work.
When a user tries to log in to an application, their behavior is compared with their recorded behavior. The system derives a risk score based on the level of similarity between both behaviors. The more dissimilar they are, the higher the risk score is, and vice versa. Higher risk scores can prompt the system to ask users for additional authentication, or even block their login attempts.
This can enable organizations to form sophisticated strategies to manage security threats based on risk scores. It adds an extra layer of protection without bothering users, resulting in a hassle-free user experience.
It continuously tracks user activities throughout the access session to become familiar with user’s usual behavior and uses ML algorithms to integrate it in its risk assessment strategy. Whenever the user deviates from typical behavior, the system may prompt for additional authentication or even block access temporarily to avoid potentially harmful actions in real time.
Passwordless authentication
With this technique, you can implement digital identity verification using more sophisticated techniques that don’t require your users to memorize a password or security question and answer. Instead of relying on the knowledge (what you know) factor, it uses the factors of possession (what you have) and inherence (who you are).
You’re probably using it every day. For instance, what do you use to open your phone? Maybe a fingerprint, face or retina scan. There are several ways you can use passwordless authentication, such as physical or behavioral biometrics, possession factors like a hardware token or time-based OTP (TOTP), and magic login links.
While passwordless techniques are not completely impenetrable by cybercriminals, they are far safer than using passwords or KBA. For instance, a password can be guessed or obtained through illicit means or brute force attacks.
Along with offering improved security, it enhances user experience by eliminating the need to memorize complex passwords. This simplifies the login process, saving users time and boosting productivity. Plus, it helps eliminate the costs of Help Desk calls for password resets.
Conclusion
Using KBA for identity verification or system access is almost as vulnerable as using weak or common passwords.
However, utilizing a combination of two or more of the techniques discussed here can improve your overall security posture.