KBA Knowledge-Based Authentication (KBA)

KBA verifies identityby asking users questions only they should know (e.g., past addresses, loan amounts, or custom shared secrets). Static KBA relies on pre-set answers; dynamic KBA pulls questions from third-party data. While historically common in call centers and online account recovery, KBA is increasingly viewed as weak because answers leak via breaches, social media, data brokers, or guessable patterns. Modern programs restrict KBA to low-risk scenarios, pair it with stronger factors (device binding, biometrics, passkeys), or reserve it for assisted channels where human agents add context. For regulated onboarding, KBA rarely suffices alone; it must complement robust evidence like document authentication, liveness, and authoritative database checks. Good governance limits question exposure, rotates content, tracks success/abuse rates, and sunsets KBA where phishing-resistant methods are available, improving both fraud outcomes and user experience.