What Is Knowledge-Based Authentication? Why It’s Shaky and How to Use it Best

What Is Knowledge-Based Authentication? Why It’s Shaky and How to Use it Best

Even when you tell apps and sites to “remember me,” modern life involves lots of logging in.  When you enter your username and password you’re validating that you are who you say you are, a process known as “authentication.” 

Passwords, as we unfortunately know, are often easy to guess or break and are often stolen in data breaches.  So sensitive sites often require a second form of authentication, such as security questions.  That’s called knowledge-based authentication, because it relies on something that you — and ideally, only you — know.  It’s a widely used security measure, but it isn’t always especially secure. 

What is Knowledge-Based Authentication? 

There are three basic approaches to authentication, which are usually summed up as “something you have,” “something you are” and “something you know.”  The first describes physical objects that can serve as an authentication key, and this category includes things like physical dongles and swipe cards, or your phone.  The second describes biometric authentication, which reads a fingerprint or a palmprint, or perhaps uses facial recognition, to establish your identity. 

The third, “something you know,” is — logically enough — the basis of knowledge-based authentication, or KBA.  The goal is to establish your identity by asking something that only you would know, as a backup to your existing password. 

There’s always a catch, of course, and in this case it’s settling on things that only you would know.  The most common version of KBA is the predictable set of well-known security questions you’ll find on a lot of sites.  They’ll typically include things like your mother’s maiden name, the name of your first pet, or the first school you attended.  Unfortunately those questions — precisely because they’re so predictable — aren’t very useful for securing your account. 

Static, Dynamic, and Enhanced KBA

Don’t panic yet, though, because there’s more than one approach to knowledge-based authentication.  Those traditional security questions are referred to as “static” KBA, because they lean on pieces of information that are unchanging.  They’re easily researched, and where they can’t be researched they can often be uncovered through a phishing email, a scam call or a bit of online chit chat with a catfishing scammer

Companies needing a better form of authentication use what’s called “dynamic” KBA.  That means the questions and answers aren’t settled in advance.  Instead, when you need to authenticate your account, the company’s system will choose information drawn from its own records or things like your credit report.  For example, you might be asked what was the biggest or most recent charge on your credit card in the past week, or which of three addresses you’d lived in during a specific year. 

Enhanced dynamic KBA takes that a step further, by relying on proprietary data that outsiders (theoretically) have no access to.  Instead of generating a question from your credit report, for example, a retailer might ask you for details from a previous purchase.  The most advanced form doesn’t rely on questions at all, but tracks your normal behavior and flags variations from that behavior. 

Dynamic KBA isn’t perfect — it’s possible for hackers to steal proprietary information, for example — but it’s substantially more secure, and more difficult to get around, than static KBA. 

So Is Knowledge-Based Authentication Secure? 

Let’s start by saying firmly that any form of secondary authentication is better than none at all.  At the time of writing, breach-tracking site Have I Been Pwned? counted well over 12 billion compromised accounts, many of which included full username and password combinations (it’s worth checking to see if you’ve been personally compromised in any of them).  Those details can be purchased for pennies on the black market, so without some form of secondary authentication scammers can simply write a bot that tries your credentials on tens of thousands of sites (or apps) every hour until it finds one it can exploit.  This is called “credential stuffing,” and it’s used a lot. 

Dynamic KBA is significantly more secure than static, but unfortunately you don’t get to choose what authentication options are provided by a given company’s site or app.  You can lobby for better authentication options, and you can certainly “vote with your feet” by choosing to deal instead with companies that provide more secure authentication, but that’s not always a good option. 

If you’re stuck with static KBA and the usual, predictable handful of security questions, there are still a few things you can do to make yourself more secure.  You could choose whichever question is known to the fewest others, or is the hardest to research, for example.  A more useful option is simply to … lie.  Seriously, nobody’s policing this.  Instead of your mother’s maiden name, use the name of a favorite fictional character.  Invent a dog, or a school.  Just make sure you record your answers somewhere (if you’re using a password manager, that’s a good choice) and that your next of kin know where to find the answers in a worst-case scenario. 

There Are Better Forms of Authentication

The good news is that knowledge-based authentication is not usually your only option.  Most sites and apps will send you a code via text, email or push notification that can serve as your second form of authentication.  This isn’t foolproof, but it’s not as easy to defeat as basic, static KBA questions. 

Better options include authentication apps like Authy or Google Authenticator, physical keys and dongles or a “token” system that turns your phone itself into a physical security key.  Biometric authentication, using your device’s fingerprint reader or facial recognition, is also much more secure. 

No one site or app supports all forms of authentication, so use the most secure option that’s available to you (and that you’re comfortable with) on a case-by-case basis.  Generally that’s a physical key or biometric authentication, but authenticator apps are also pretty secure.  If you make the best possible authentication option a regular part of your online routine, along with other core precautions like strong passwords and a skeptical attitude toward links in your emails and texts, you’ll keep your risk of hacking or identity theft to their bare minimum. 

Sources:

Skilsoft Global Knowledge – The Three Types of Multi Factor Authentication (MFA)

The Guardian – Facebook Data Leak: Data From 533 Million Users Found on Website for Hackers 

Techopedia – What is Knowledge Based Authentication? 

Have I Been Pwned? – Home

OWASP – Credential Stuffing

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics