You may want to reconsider.
Knowledge-based authentication (often abbreviated as KBA) is a mechanism used for identity verification that relies on questions, presented to the user, that only the user in question should know. Typically several questions are presented often on topics such as mortgage information (home addresses, banks, amount, refinance dates), vehicle information (make, model, loan amounts) or other personal details that only the user would have access to. In the early years of the internet, KBA was an effective mechanism for identity verification, but as more and more of our personal information is gathered, aggregated, and made available online, the population of those who have the requisite ‘knowledge’ to successfully answer these questions on behalf of anyone has become unacceptably broad. The Turn identity database engine uses dozens of proprietary algorithms and machine learning techniques to automate the data capture, compilation, and validation of an identity across 100+ billion records and thousands of databases in under ten seconds. Scary? Perhaps, but this is the increasing reality in our digital age. It requires new ways of thinking about identity, what comprises it, and how we verify it.
Let’s review the primary problems with KBA:
The information used for KBA questions is easily found via social media or other online public records data sources. Search the internet for ‘Background Check’ and you’ll find many websites that purport to offer a background check and simply tap into various public records databases of lesser or greater accuracy. The best sources of data require you to pay for it. Given that the rewards to a criminal for successfully hacking KBA can be very high, the motivation is there for criminals to subscribe to the best sources of data available. If it’s available, you can be certain someone is using this information for nefarious purposes. It slows down login. The ‘more secure’ a knowledge based question is, the more likely it is the person will not have access to that information at hand. This introduces unnecessary friction into the process while the person attempts to locate the required information. For example, if you are asked the amount of your last mortgage payment, chances are you don’t have that information at your fingertips.
The information doesn’t change over time. Security experts are always telling you that you should update your passwords frequently, right? How often does your mother’s maiden name change? How often do you buy a house, or a car, or refinance your mortgage? If the verification system you’ve built relies on information that never changes, or at best changes every few years, then you don’t have a very robust verification system. Access attempts are not throttled. If bad actors can repeatedly retry attempts at your verification system without being blocked then you are inviting brute force attempts to break the verification system.
If KBA doesn’t work, what do you suggest instead?
Identity is at the core of everything that we do at Turn. We’ve taken a fresh look at what it means to verify identity and have built our solution from the ground up.
Identity is not comprised of one single thing, so it’s important to take a holistic approach at data when trying to validate an identity. Turn looks at many different data elements in order to confirm a one-to-one identity match:
- Public records from disparate data sources
- Social media accounts
- Mobile device fingerprinting
- Secure government databases
- Location triangulation from a myriad of sources
- Alternative, non-traditional data providers
- Special sauce
Given these elements, Turn’s potential comes from a combination of being able to deal with complexity, change, and scale to deliver a solution that works seamlessly behind the scenes.
Do you still think you need KBA? Don’t find yourself outmoded.
Contact us to learn more: turn.ai
