Back to Blog

Knowledge-based authentication (KBA) has been used for over 20 years as a method of proving identity online. It’s time to move on. This flawed approach to identity verification relies on stagnant data that has been breached countless times, and as a result has been made widely available on the dark web.

As a result, fraudsters have actually become more proficient at answering those credit-based questions than the people the quizzes are intended for. There is also a high rate of false positives as real people are incorrectly flagged as fraud even though they believe they answered correctly. These factors led to the National Institute of Standards and Technology (NIST) to deprecate the use of KBA in their latest version of Special Publication 800-63-3, the most widely adopted identity standard in the United States.

But KBA is still commonly employed in the public sector to perform the critical act of identity proofing – most commonly in motor vehicle registration, online portal access, and notarization. It is either used as a primary form of identity verification or can be used as a backup when an individual is unable to complete the primary method. Meanwhile, the scale and frequency of data breaches has reached new heights – many people’s personally identifiable information can be accessed for as little as $1 per record on the dark web.

The glaring problem is that giving the alternative of passing a KBA quiz gives fraudsters a loophole to gain improper access. Nefarious actors will find the path of least resistance to obtain ill-gotten access to systems, and the employment of KBA as an alternative proofing method only exacerbates the issue. We need to address the issues associated with relying on Knowledge-Based Authentication (KBA) for identity proofing and explore more secure and robust alternatives that can effectively combat fraud while ensuring the integrity of online systems.

For example, Socure has proven KBA replacement can lead to significant improvements in fraud prevention and identity verification availability. In a recent data study conducted with one of the largest states, Socure was able to correctly approve 92.8% of individuals that failed KBA, and were improperly turned away. We were also able to identify the 6.1% of individuals that passed KBA but showed risk of fraud. These outcomes lead to more accurate verification and huge cost savings.

  • Flaws in KBA: The primary flaw in KBA lies in its reliance on static and often outdated information, such as Social Security numbers, addresses, and personal details, all of which are susceptible to data breaches. Hackers and fraudsters have exploited these breaches to gather the necessary information to pass KBA quizzes successfully. They use scripted methods to automatically bypass questions. Additionally, the widespread availability of personal data on the dark web and social media has further diminished the effectiveness of KBA as a reliable identity verification method. Because states are centralizing portals that gate key services, guarding them with KBA can lead to greater damage.
  • NIST Deprecation: The National Institute of Standards and Technology’s decision to deprecate the use of KBA in their latest version of Special Publication 800-63-3 reflects a growing acknowledgment of the shortcomings of KBA as an effective identity proofing method. The move signifies a need for more secure and sophisticated alternatives to ensure robust authentication processes.
  • Risks of State Agencies Relying on KBA: While it is understandable that state agencies may opt for KBA as an alternative proofing method due to its familiarity and ease of implementation, they inadvertently open the door to potential breaches and unauthorized access. With modern cybersecurity threats becoming increasingly sophisticated, relying on KBA as a failover option is akin to leaving a backdoor open for malicious actors.
  • Adoption of Biometrics: Incorporating biometric authentication in identity proofing processes can further enhance security. Biometric identifiers are unique to each individual and cannot be easily replicated or stolen. Technologies like fingerprint recognition, iris scanning, or voice recognition provide a more robust and secure means of verifying identity.
  • Behavioral Analytics: Another innovative approach to identity verification involves using behavioral analytics. By analyzing a user’s behavior patterns, such as typing speed, mouse movements, or smartphone usage habits, it becomes possible to detect anomalies and potential fraud attempts. This has flaws unless it is used holistically with other identity verification methods.
  • Risk Moment Verification: Instead of relying on a one-time identity verification process, validating risk when account changes are attempted (like requesting a replacement Drivers License) it prohibits account takeover. This iterative verification can help detect suspicious behavior or unauthorized access, further strengthening the security of online systems.
  • User Education and Awareness: Improving user education and awareness is crucial in promoting secure online practices. State agencies should provide guidance to users on the importance of strong passwords, avoiding phishing attempts, and understanding the risks associated with sharing personal information online.

Reliance on Knowledge-Based Authentication (KBA) for identity proofing has long been a flawed approach, relying on stagnant data that has been compromised multiple times and made readily available to fraudsters on the dark web. Fraudsters have become adept at circumventing KBA quizzes, undermining the very purpose of identity verification. This has contributed to the spike in government benefits fraud we’ve seen over the last few years.

By embracing more secure and robust alternatives, state agencies can ensure the integrity of their online systems, protect sensitive user information, and thwart potential cyber threats effectively. In one State Motor Vehicle Agency where KBA was being utilized, Socure improved identity verification pass rates to 93.3%, a 20% improvement over KBA, while also flagging 118,000 suspicious identities. This was done entirely passively through the risk evaluation of the PII submitted based on Socure’s risk insights – without any additional friction being presented to the end user. That’s the kind of digital identity experience Americans need.

As technology continues to evolve, it is imperative that identity proofing methods keep pace with advancements in cybersecurity to safeguard our digital landscape. Only through proactive and innovative approaches can we stay ahead in the ongoing battle against fraudulent activities and ensure the trust and confidence of users in the digital realm.

Jeff Shultz
Posted by

Jeff Shultz

Jeff Shultz

Jeff Shultz is a Senior Solutions Consultant at Socure. He has worked in the digital identity space with the National Institute of Standards and Technology (NIST) and the General Services Administration (GSA). Jeff has spent the last two years at Socure helping to build its public sector business.