Alternatives to Knowledge-Based Authentication for Identity Verification

Science & Tech

Published by UrbanGeekz Staff at October 20, 2017

Problems With KBA

Customer Error

The first problem with KBA is that your customers might forget what they put down. This is especially true for questions whose answers can change over time.

For example: if a person puts down the name of their favorite pet, that name could very easily change over time. Due to shorter lifespans, a customer is guaranteed to change pets every so often, and they might like the new pet better. You want your customers to stay with you for a long time, so it is counter-productive to punish them for forgetting how they would have answered a security question ten years ago.

This problem is not uncommon, and the last thing you want is to further frustrate your customers with authentication failures like these.

Anybody Can Find the Answer

The most damning flaw in KBA is the fact that it depends upon publicly available information. We have all been told about the dangers of posting your social security number, but the ubiquitous nature of KBA makes a Facebook selfie labeled “Chilling out with my favorite teacher” with yourself and that teacher tagged in equally dangerous.

To a skilled fraudster, these security questions are not asking him if he is who he says he is. What they hear is “have you read this customer’s Facebook?” You could try advising your customers to not use security questions with publicly available information, but that is not always practical.

Seeking Alternatives

While KBA is deeply flawed, verifying customer identity is essential to preventing fraud. Rather than using security questions and answers for identity verification, consider some of the following alternatives:

Behavior Recognition

This is a pattern that is frequently employed by credit card agencies. It generally involves using publicly available data to establish user patterns, and looking for breaks with those patterns. Customers tend to fall into habits, and a sudden break from those habits should create red flags in your system. While it is possible your model is wrong or the change in behavior is due to exigent circumstances, checking out shifts in customer behavior can be used to warn of possible fraud.

Phone-Limited Access

One thing that everybody has and tends to jealously guard is their phone. With the rise of mobile phones, and the many services offering number transfers, tying customer identity to phone number is a convenient way to verify identity. When somebody calls in, if they are using a phone number linked to the account, there is a good bet that you are speaking to the correct person. This method is best used in conjunction with other identity verification methods to counter possible software glitches.

The other benefit of this method is that, due to the universality of text messaging, if a customer tries calling in on a different phone, you can send a secret code to the primary phone number as a method of verification. The only way a fraudster can impersonate your customer is by stealing their phone.

Evolve with The Times

The transition to KBA as an industry standard was a good idea in theory. However, nobody could have predicted the rise of social media and what a detrimental effect that would have on KBA. As the times evolve, so too must businesses, and seeking alternatives to KBA will go a long way towards guaranteeing customer identity and protecting your business against fraud.

UrbanGeekz Staff

UrbanGeekz is the first to market tech blog focused on covering content from a diverse and multicultural perspective. The groundbreaking videocentric multimedia platform covers technology, business, science, and startups.