What is knowledge-based authentication?
Knowledge-based authentication (KBA) is an authentication method in which users are asked to answer at least one secret question. KBA is often used as a component in multifactor authentication (MFA) and for self-service password retrieval.
A strong KBA question should meet the following four criteria:
- The question should be appropriate for a large segment of the population.
- The answer should be something easily remembered.
- The question should only have one correct answer.
- The answer should not be easy to guess or discover through research.
KBA questions can be static or dynamic. Both methods rely on the assumption that if someone knows the correct answers to the secret questions, their identity has been confirmed.
In a static scheme, the end user preselects the questions to be asked and provides the correct answers. The host stores the question-and-answer pairs and uses them later to verify the person's identity. KBA questions can be factual, such as: "Where did you spend your honeymoon?" or "How many pets do you have?" Or they can be about preferences, such as: "What is your favorite food?" or "Who was your favorite teacher?" The problem with static KBA questions is that if someone has shared that information on social media, for example, the answer can be easily guessed.
In a dynamic scheme, the end user has no idea what question will be asked. Instead, the question-and-answer pairs are selected from harvested data, such as public records. Examples of dynamic KBA questions include: "What street address did you live on when you were 10 years old?" or "What color Ford Mustang was registered to you in New York state in 2002?" Although the answers to dynamic questions could be researched, it would take time. If the respondent does not answer a dynamic question within a certain time period, the question is discarded and treated as a wrong answer.
Experts don't consider knowledge-based authentication to be secure enough on its own, particularly in the age of social media where people tend to share a lot of information about themselves. Using KBA as part of MFA is preferred, which would strengthen the authentication method for accounts. MFA is recommended over KBA, especially with the rise of remote and hybrid work.
This article was written in 2015. TechTarget editors revised it in 2023 to improve the reader experience.