Confirming someone’s identity is essential to protect sensitive data no matter what vertical your business operates in but is particularly important for FinTech and financial services companies. Knowledge Based Authentication (KBA) is one way to prohibit identity theft and the negative impacts on your company’s bottom line. Knowing which KBA to use can help you lessen fraudulent attempts to gain or use sensitive data, but KBA is only a partial piece of your security puzzle.

What is KBA?

KBA allows a user to provide basic information like their name, address, or phone number prior to conducting a transaction, or gaining access to other data. A query of multiple public databases then checks the provided information against what is common “knowledge” in these databases. If the information provided by a potential customer doesn’t match the information stored in the databases, they are flagged as a security threat. You can think of KBA as a way to prove identity in the same way that someone showing their ID to purchase alcohol at a bar does. Presenting a passport to security at the airport so that you can board a plane and fly to Tahiti is another example. While a driver’s license or passport – an identifier – can be faked, it can be difficult to do so since they are physical, tangible objects. Conversely, KBA data is virtual and can often easily be hacked.

Why KBA Alone Isn’t Enough

Though KBA can be effective with some add-on security services, they might not be safe to use alone. The National Institutes of Standards in Technology (NIST), part of the U.S. Department of Commerce, recently downgraded KBA from “strong” to “fair” citing a lack of performance standards. Why, you might ask?

Hackers have access to a host of knowledge-based credentials that would normally authenticate a real user, as opposed to a data breacher. Google Maps can now reveal the type, color, make, and model of the car sitting in front of your home. Zillow can reveal the history of your home’s market price, your zip code, and many other data points that might be used as sign-on credentials. All the while a user thinks that these facts are a secret.  

Phishing tactics can also unlock a host of personal identifiers to a hacker that would normally be used as KBA identifiers:

  • Social security numbers
  • Children’s names
  • Family surnames
  • Pet’s names
  • Banking institutions
  • Credit cards
  • Credit scores

Meanwhile, malware makes hacking less than subtle by stealing sensitive information, including normal KBA, by placing unwanted tracking software on an unsuspecting person’s computer. Remote file inclusion, SQL injections, and a host of other hacking tools can be employed to gain information to the knowledge-based identifiers that would normally keep data secure. Only additional metrics in a dynamic KBA, suggests the NIST, will allow an increase in the overall trustworthiness of an Identity Ecosystem.

Adding Multiple Security Layers to KBA

Fast Identity Online (FIDO) and other organizations explain how devices that support convenient multi-factor authentication can both standardize authentic identity and add security to KBAs. The following are industry-leading tools to help make knowledge-based logins more secure:

  • Single factor authentication (SSO) with a code/pin or another identifier like a biometric indicator (fingerprints, eye scans, or facial recognition) add security and reliability. Hackers can still duplicate biometric identification to hack into devices, but used in conjunction with KBA and SSO, the task becomes more arduous.
  • Multi-factor authentication (2FA, 3FA) can help bolster KBA. Making users identify themselves with knowledge-based data, but then alsorequiring them to login with multiple usernames and passwords makes hacking more challenging. Devises that can receive a push-notification like an SMS token request for a second login and password also add a layer of security. Robust multi-factor systems might even use three logins and passwords for the ultimate assurance of secure data.
  • USB keys are a physical barrier to hackers and data stored on your mobile phone, laptop or other device. A USB thumb drive can be set up to require access to a device, and since it’s a tangible device, it is harder to unlock than an SSO password, or KBA data point. Built-in schedulers can also limit the number of times a USB key can be used within a day to access data on a device. In the case of a lost, corrupted, or damaged USB key, KBA and password requirements can be used to retrieve access to data until another physical key can be secured. 
  • Security monitoring. With any solid KBA system, 24-7 monitoring of data access attempts can also help you target possible data hacking or unusual login behavior. Make sure you also keep credentials pure to help lessen security risks.

No matter which of these additions to your KBA that you decide to use, you’ll more likely know when there’s a potential hacker or identity thief posturing as a person that you actually want to grant data access to. You can then set up additional security protocols to ask a potential customer to authenticate themselves in another way, or send an error message stating that the data access request cannot be processed, and offer another pathway like an 800-number to call to complete data access via a helpline. This digital authentication confirms identity for a safe online experience for both those accessing data outside your company and those within in.

Final Thoughts

KBAs can help accurately define proper user identity, but their use may require an extra layer of security. You can reduce risks with added security tools, but it can be daunting to figure out which add-ons to use with knowledge-based authentication. See how SailPoint integrates with the right authentication providers.

Take control of your cloud platform.

Learn how SailPoint integrates with authentication providers.

Get Started Today