Search Icon

Knowledge-based authentication (KBA) has been used for over 20 years as a method of proving identity online. It’s time to move on. This flawed approach to identity verification relies on stagnant data that has been breached countless times, and as a result has been made widely available on the dark web.

As a result, fraudsters have actually become more proficient at answering those credit-based questions than the people the quizzes are intended for. First recognized in 2015, this trend led to the National Institute of Standards and Technology (NIST) to deprecate the use of KBA in their latest version of Special Publication 800-63-3, the most widely adopted identity standard in the United States.

But KBA is still commonly employed by state and local agencies to perform the critical act of identity proofing – most commonly in motor vehicle registration, online portal access, and notarization. It is typically viewed as an alternative method for online identity verification that can be used as a backup when an individual is unable to complete the primary method of identity verification. Meanwhile, the scale and frequency of data breaches has reached new heights – many people’s personally identifiable information can be accessed for as little as $1 per record on the dark web.

The glaring problem is that giving the alternative of passing a KBA quiz gives fraudsters a loophole to gain improper access. Nefarious actors will find the path of least resistance to obtain ill-gotten access to systems, and the employment of KBA as an alternative proofing method only exacerbates the issue. We need to address the issues associated with relying on Knowledge-Based Authentication (KBA) for identity proofing and explore more secure and robust alternatives that can effectively combat fraud while ensuring the integrity of online systems.

For example, Socure has proven KBA replacement can lead to significant improvements in fraud prevention and identity verification availability. In a recent data study conducted with one of the largest states, Socure was able to correctly approve over 6% of individuals that failed KBA, and were improperly turned away. Socure was also able to reject 6% of transactions that were approved through the use of KBA quizzes – resulting in over 12% more accurate verification and millions of dollars in cost savings.

  • Flaws in KBA: The primary flaw in KBA lies in its reliance on static and often outdated information, such as Social Security numbers, addresses, and personal details, all of which are susceptible to data breaches. Hackers and fraudsters have exploited these breaches to gather the necessary information to pass KBA quizzes successfully. Additionally, the widespread availability of personal data on the dark web and social media has further diminished the effectiveness of KBA as a reliable identity verification method.
  • NIST Deprecation: The National Institute of Standards and Technology’s decision to deprecate the use of KBA in their latest version of Special Publication 800-63-3 reflects a growing acknowledgment of the shortcomings of KBA as an effective identity proofing method. The move signifies a need for more secure and sophisticated alternatives to ensure robust authentication processes.
  • Risks of State Agencies Relying on KBA: While it is understandable that state agencies may opt for KBA as an alternative proofing method due to its familiarity and ease of implementation, they inadvertently open the door to potential breaches and unauthorized access. With modern cybersecurity threats becoming increasingly sophisticated, relying on KBA as a failover option is akin to leaving a backdoor open for malicious actors.
  • Adoption of Biometrics: Incorporating biometric authentication in identity proofing processes can further enhance security. Biometric identifiers are unique to each individual and cannot be easily replicated or stolen. Technologies like fingerprint recognition, iris scanning, or voice recognition provide a more robust and secure means of verifying identity.
  • Behavioral Analytics: Another innovative approach to identity verification involves using behavioral analytics. By analyzing a user’s behavior patterns, such as typing speed, mouse movements, or smartphone usage habits, it becomes possible to detect anomalies and potential fraud attempts.
  • Continuous Authentication: Instead of relying on a one-time identity verification process, continuous authentication monitors user activity throughout their session. This ongoing verification can help detect suspicious behavior or unauthorized access, further strengthening the security of online systems.
  • User Education and Awareness: Improving user education and awareness is crucial in promoting secure online practices. State agencies should provide guidance to users on the importance of strong passwords, avoiding phishing attempts, and understanding the risks associated with sharing personal information online.

Reliance on Knowledge-Based Authentication (KBA) for identity proofing has long been a flawed approach, relying on stagnant data that has been compromised multiple times and made readily available to fraudsters on the dark web. Fraudsters have become adept at circumventing KBA quizzes, undermining the very purpose of identity verification. This has contributed to the spike in government benefits fraud we’ve seen over the last few years.

By embracing more secure and robust alternatives, state agencies can ensure the integrity of their online systems, protect sensitive user information, and thwart potential cyber threats effectively. In one KBA replacement scenario with a state motor vehicle agency, Socure improved identity verification pass rates to 93.3%, far higher than the pass rate with KBA, while also flagging 118,000 suspicious identities. That’s the kind of digital identity experience Americans need.

As technology continues to evolve, it is imperative that identity proofing methods keep pace with advancements in cybersecurity to safeguard our digital landscape. Only through proactive and innovative approaches can we stay ahead in the ongoing battle against fraudulent activities and ensure the trust and confidence of users in the digital realm.

Jeff Shultz
Posted by

Jeff Shultz

Jeff Shultz

Jeff Shultz is a Senior Solutions Consultant at Socure. He has worked in the digital identity space with the National Institute of Standards and Technology (NIST) and the General Services Administration (GSA). Jeff has spent the last two years at Socure helping to build its public sector business.