Keeping information secure online is a top priority for any customer-focused organization. Authentication is the foundation of secure online applications, transactions, signatures and notarizations.
There are many ways to authenticate identity and personal information online, from passwords to multi-factor authentication, certificates, biometrics and token-based authentication — each has its benefits in terms of relative levels of security and ability to power seamless transactions.
Knowledge-based authentication (KBA), both static and dynamic, is another way to authenticate personal information that offers distinct security benefits. Let's take a deeper look at what it is, the difference between static and dynamic KBA, and the common security concerns it helps to mitigate in important transactions — from digital banking to online notarizations and more.
What is knowledge-based authentication?
Knowledge-based authentication (KBA) is an increasingly used form of authentication that asks a user or customer to verify their identity using personal information that's publicly available but wouldn't be easy for a cybercriminal to provide or guess. As its name implies, KBA is based on personal facts that only the individual would possess. As personal information becomes more readily accessible online, this form of authentication has necessarily become more sophisticated to guard against fraudsters.
A good KBA question or set of questions should meet the following criteria:
- Relevant and identifiable to most people
- Easy to remember
- Has only one correct answer
- Difficult to guess or discover through research
There are two main types of KBA: static and dynamic. We'll cover each of their benefits, values and use cases.
Static KBA vs. dynamic KBA
Both static and dynamic KBA rely on the assumption that the end-user will know and remember the correct answers to the secret questions, so a company can securely confirm a person's identity.
Static KBA
Static KBA allows users to select their own security questions and answers. Questions might include things like, "Who was your best childhood friend?" or "What was your high school mascot?" The company stores those answers, and later, when it's time to verify the user’s identity to log in, reset a password, or any other activity that requires verification, the user will have to provide accurate answers to those questions.
Value: Users can select different authentication questions on different sites. They can also provide more customized yet still easy-to-remember answers to the questions.
Drawbacks: Many of these questions are consistent enough that their possible answers are discoverable on a social media post or another public-facing site.
Static KBA also does not protect against fraudsters who purchase identity information on the black market. These bad players can then open an account using the stolen identity and simply fabricate security questions.
Dynamic KBA
Dynamic KBA generates questions based on information in a person's credit history or public records. Examples of this might be your childhood or college address, a company where you might hold a loan, or an alternative, nonlegal, name you go by (such as a nickname). Questions might include things like, "What car was registered to you in Utah in 2007?" or "Which of these addresses do not represent somewhere you've lived?" These questions and answers are generally referred to as "out of wallet" as the information isn't easily found in a person's wallet or purse, making it difficult for anyone other than the actual person to know the answer.
Value: Because dynamic KBA information isn't easily accessible through legal documentation or official IDs, it's tough to get exactly right. A small spelling error or another anomaly would easily deter a would-be hacker.
Drawbacks: Depending on a user's memory or closeness to certain financial information, questions sourced by dynamic KBA may lead to a customer being locked out of an account or unable to perform a transaction that depends on them being able to provide the correct information.
Common security concerns KBA helps to eliminate
Static and dynamic KBA add a measure of security to any online transaction. Both types of KBA help organizations guard against fraud and reduce the cost of fraud prevention and recovery. Because dynamic KBA generates real-time questions based on the consumer's aggregated data file, it's difficult for a cybercriminal to answer the questions correctly. KBA can also boost consumer confidence by providing a layer of security for customers, enabling more trust in online transactions.
But depending on the security risk of the transaction, and what type of information is shared, companies might want to implement or layer on additional cybersecurity measures like multi-factor authentication or biometric authentication to make transactions even more secure.
- Multi-factor authentication: Multi-factor authentication relies on two or more layers of identity verification. This can include sending verification messages to other accounts or devices that only the end user can access. For example, after entering a password, the user would also get a code sent to their smartphone or email address for an added layer of verification.
- Biometric authentication: Biometric authentication, most commonly in the form of facial scans or fingerprints, uses a person’s physical characteristics to identify the user, authorize access and allow for secure transactions. Other forms of biometric authenticators include voice, iris, retina and signature recognition, and even vein patterns. Since these features are difficult to duplicate, they offer a high level of security in online transactions.
Putting authentication and security front and center in online notarizations
Strong security practices, including identity authentication, can thwart many fraudulent transactions.
Aside from measures like password protection, which provide a secure access point, organizations can put more security measures in place for sensitive digital transactions. For example, when it comes to online notarizations, the whole purpose is to securely verify and confirm one’s identity. The Notarize platform does this by utilizing multi-factor authentication: dynamic knowledge-based authentication and credential analysis (a software-based process that determines the validity of a government-issued ID). The user needs to successfully pass through each of these layers of security before they’re connected with a live notary. This deters fraudsters and ensures that the person getting a document notarized is who they say they are.