In Defense of KBA

Knowledge Based Authentication (KBA) has been getting a bad rap, largely related to the IRS breaches in both 2013 and 2015.  Aside from the IRS breaches, there have also been failures associated with static KBA that contribute to criticism of KBA.  Static KBA is a question and response structure where the consumer has provided the “correct” answer to the question.  Essentially static KBA becomes a secondary password, and as such static KBA suffers from all of the same limitations as ordinary passwords.  This approach should not be confused with dynamic KBA, where information from external entities (i.e. Credit Bureaus, Utility Records) are used to present questions to the consumer.

What critics of KBA have failed to realize is that any tool will fail when it is not used correctly.  It is absolutely true that KBA is not perfect, even when dynamic KBA is implemented correctly.  It is equally true that a perfect solution does not currently exist.  All identity verification solutions have the potential to be thwarted, the goal is to make the time and cost required to commit fraudulent activity higher than the value of what is gained by a potential fraudster. 

KBA raises the bar for the amount of information a fraudster needs to be able to perform a fraudulent transaction, requiring additional time and effort (or cost for those purchasing such information illegally).  For lower value access (lower value retail, age verification) KBA may be sufficient to prevent fraud, but for higher value targets (healthcare information, tax information, new financial account origination) KBA should only serve as one layer in a comprehensive solution.  In the high profile breaches of the last several years the IRS failed to include these additional layers. 

The IRS is also a uniquely valuable target for fraudsters.  The majority of American adults file taxes, and an estimated 8 in 10 who file receive refunds.  For a criminal who has access to the data required to answer KBA questions for a random set of American adults this mean the probability of success is high.  Fraud is ultimately a business, and like any business fraudsters will invest more (time, effort, money) when there is a higher probability of making a profit. 

KBA is a valuable tool for identity verification and fraud prevention when used correctly.  Electronic Verification Systems (EVS) provides dynamic KBA as part of a comprehensive solution for Identity Verification, and can provide guidance regarding the correct implementation of KBA and whether dynamic KBA is a fit for your specific needs.

Explore more articles