Glossary / Authentication
Knowledge-Based Authentication (KBA)
Knowledge-based authentication (KBA) is an identity verification method that asks users to answer personal questions, either static ones they set in advance or dynamic ones derived from external data sources.
Also: KBA, security questions
Knowledge-based authentication verifies identity by asking questions whose answers should be known only to the legitimate user. Static KBA uses questions the user previously set up, such as “What was the name of your first pet?” Dynamic KBA pulls questions from external data sources, such as credit bureaus, and asks the user to select the correct answer from multiple choices.
KBA has been widely used for account recovery and identity proofing, but it carries well-documented weaknesses. Answers to static questions are often guessable, shared on social media, or reused across services. Dynamic KBA data can be obtained from public records or data breaches. For these reasons, NIST SP 800-63A does not permit KBA as the sole means of identity proofing at higher assurance levels.
For CIAM, knowledge-based authentication may still appear in low-risk recovery flows, but organizations are moving toward stronger alternatives such as multi-factor authentication and document-based identity proofing.
Sources
- NIST SP 800-63A, Enrollment and Identity Proofing: https://pages.nist.gov/800-63-3/sp800-63a.html
Related terms
Standards
- NIST SP 800-63A