knowledge-based authentication (KBA)

Knowledge-based authentication (KBA) is an authentication scheme in which the user is asked to answer at least one "secret" question. KBA is often used as a component in multifactor authentication (MFA) and for self-service password retrieval.

A good KBA question should meet these four criteria:

1. The question should be appropriate for a large segment of the population.

2. The answer should be something that is easily remembered.

3. The question should only have one correct answer. 

4. The answer should not be easy to guess or discover through research. 

KBA questions can be static or dynamic. Both static and dynamic schemes rely on the assumption that if someone knows the correct answers to the secret questions, their identity has been confirmed.

In a static scheme, the end user pre-selects the questions he would like to be asked and provides the correct answers. The question/answer pairs are stored by the host and used later to verify the person's identity. KBA questions can be factual, like "Where did you spend your honeymoon?" or "How many pets do you have?" or they can be about preferences, like "What is your favorite food?" or "Who was your favorite teacher?"  The problem with static KBA questions is that if someone has shared that information on a social media site, the answer can be easily guessed. 

In a dynamic scheme, the end user has no idea what question will be asked. Instead, the question/answer pairs are determined by harvesting data in public records. Examples of dynamic KBA questions are "What was your street address when you were 10 years old?"  or "What color Ford Mustang was registered to you in New York State in 2002?"  Although the answers to dynamic questions could be researched, it would take time -- and time is something the answerer is not given. If the respondent does not answer the dynamic question within a certain time period, the question is discarded and treated as a wrong answer. 




This was last updated in February 2015

Next Steps

Multifactor authentication is one of the most cost-effective mechanisms an enterprise can deploy to protect digital assets. Security expert David Strom explains what you need to think about when writing your business case for a multifactor authentication deployment.

Continue Reading About knowledge-based authentication (KBA)

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing