KBA Alternatives for Identity Verification
Knowledge-Based Authentication (KBA):
Promises vs. Reality
KBA identifies users by asking them to answer specific security questions in order to verify their identity for account opening, login, or other online activities. The promise of KBA is, unfortunately, met by some harsh realities. That’s why organizations are looking for alternatives.
KBA often relies on the same personal information exposed in most data breaches.
High-profile data breaches regularly make headlines, which means KBA data is regularly exposed and openly sold on the Dark web.
“Knowledge-based authentication, based on questions derived from PII, is no longer reliable.”
- BankInfoSecurity.com
Information used to craft KBA questions can also often be found online. (i.e. a quick social media search can reveal the name of your pet or the name of your oldest nephew.)
“16 percent of security questions had answers routinely listed publicly in online social networking profiles.”
- Secrets, Lies, and Account Recovery, Google Survey
Regulators are now increasingly calling for stronger, more robust methods of authentication.
The National Institute of Standards and Technology (NIST) no longer endorses security questions and answers as a secure authentication method.
20 percent of users forget the answers to their security questions within six months. This creates the need for re-verification and results in user frustration.
KBA Alternatives for Online Identity Verification
If you’ve already decided KBA is not right for you, you have some options to consider. Below we’ve summarized a handful of alternatives:
Two-factor authentication requires more than one method of identity verification. It combines any two of: something the user knows, something they have or something they are. Most commonly, 2FA combines a username/password with a unique verification code that is texted or emailed to the user.
2FA is effective for account opening and password resets and because of the near-ubiquitous penetration of smartphones, it’s a convenient method for users.
SMS-based 2FA is vulnerable to key logging, SMS-spoofing, man-in-the-middle and man-in-the-browser attacks. Despite it being considered among the most user-friendly methods, NIST has declared SMS-based 2FA insecure.
Many online identity verification systems call out to one of the big three credit bureaus, Experian, Equifax and TransUnion, who then search for an identity match within their vast repositories of consumer credit data.
These are authoritative databases with a wealth of identifying information. They are easy to tap into via API and can provide a fast, unintrusive customer experience.
There are simply too many weaknesses to rely on this method as the single source of identity verification. People with little or no credit history often cannot be matched, common names can result in a false positive and it allows for limited geographic coverage. Importantly, these solutions fail to verify that the user providing the information is the same user behind the transaction.
When used for identity verification, database solutions often leverage online, social media and offline data (and sometimes behavioral patterns) to detect if an online user is authentic, a fraudster or a bot.
A positive aspect of database solutions is that they can pull from a variety of sources to verify a person’s identity markers. This can reduce the number of manual identity checks a business has to perform. They also tend to be API-based which leads to a flexible, customizable solution.
Database solutions fail to verify that the user providing the information is the same user behind the transaction. They also lack a degree of authority since they don’t rely on government-issued IDs. These solutions also often fail to meet compliance/regulatory requirements.
Online identity verification solutions use a mix of artificial intelligence, computer vision and verification experts to determine if a government-issued ID is authentic and belongs to the user. Some solutions also perform identity validity checks via a live selfie to ensure that the person holding the ID is the same person shown in the ID photo. And even liveness checks to assure the person holding the ID is physically present during the transaction.
Solutions use a variety of AI, biometrics, machine learning and human review to verify the user’s identity. The solutions tend to deliver a high level of verification assurance and results are generated in near-real-time.
Since the solutions require users to capture a photo of their ID and take a selfie, there is some friction introduced to the verification process.
Please enter your information below to access the Buyer's Guide to Online Identity Verification.