Why Knowledge-Based Authentication Fails at Authentication

In a recent project for a Bredemarket client, I researched how a particular group of organizations identified their online customers. Their authentication methods fell into two categories. One of these methods was much better than the other.

Multifactor authentication

Some of the organizations employed robust authentication procedures that included more than one of the five authentication factors—something you know, something you have, something you are, something you do, and/or somewhere you are.

For example, an organization may require you to authenticate with biometric data, a government-issued identification document, and sometimes some additional textual or location data.

Knowledge-based authentication

Other organizations employed only one of the factors, something you know.

• Not something as easy to crack as a password.
• Instead they used the supposedly robust authentication method of “knowledge-based authentication,” or KBA.

The theory behind KBA is that if you ask multiple questions of a person based upon data from various authoritative databases, the chance of a fraudster knowing ALL of this data is minimal.

Steve Craig found out the hard way that KBA is not infallible.

The hotel loyalty hack

Steve Craig is the Founder and CEO of PEAK IDV, a company dedicated to educating individuals on identity verification and fraud prevention.

Sadly, Craig himself was recently a victim of fraud, and it took him several hours to resolve the issue.

I’m not going to repeat all of Craig’s story, which you can read in his LinkedIn post. But I do want to highlight one detail.

• When the fraudster took over Craig’s travel-related account, the hotel used KBA to confirm that the fraudster truly was Steve Craig, specifically asking “when and where was your last hotel stay?”
• Only one problem: the “last hotel stay” was one from the fraudster, NOT from Craig. The scammer fraudulently associated their hotel stay with Craig’s account.
• This spurious “last hotel stay” allowed the fraudster to not only answer the “last hotel stay” question correctly, but also to take over Craig’s entire account, including all of Craig’s loyalty points.

And with that one piece of knowledge, Craig’s account was breached.

The “knowledge” used by knowledge based authentication

Craig isn’t the only one who can confirm that KBA by itself doesn’t work. I’ve already shared an image from an Alloy article demonstrating the failures of KBA, and there are many similar articles out there.

The biggest drawback of KBA is the assumption that ONLY the person can answer all the knowledge corrections correctly is false. All you have to do is participate in one of those never-ending Facebook memes that tell you something based on your birthday, or your favorite pet. Don’t do it.

Why do organizations use KBA?

So why do organizations continue to use KBA as their preferred authentication method? Fraud.com lists several attractive, um, factors:

• Ease of implementation. It’s easier to implement KBA than it is to implement biometric authentication and/or ID card-based authentication.
• Ease of use. It’s easier to click on answers to multiple choice questions than it is to capture an ID card, fingerprint, or face. (Especially if active liveness detection is used.)
• Ease of remembrance. As many of us can testify, it’s hard to remember which password is associated with a particular website. With KBA, you merely have to answer a multiple choice quiz, using information that you already know (at least in theory).

Let me add one more:

• Presumed protection of personally identifiable information (PII). Uploading your face, fingerprint, or driver’s license to a mysterious system seems scary. It APPEARS to be a lot safer to just answer some questions.

But in my view, the risks that someone else can get all this information (or create spurious information) and use it to access your account outweigh the benefits listed above. Even Fraud.com, which lists the advantages of KBA, warns about the risks and recommend coupling KBA with some other authentication method.

But KBA isn’t the only risky authentication factor out there

We already know that passwords can be hacked. And by now we should realize that KBA could be hacked.

But frankly, ANY single authentication can be hacked.

• After Steve Craig resolved his fraud issue, he asked the hotel how it would prevent fraud in the future. The hotel responded that it would use caller ID on phone calls made to the hotel. Wrong answer.
• While the biometric vendors are improving their algorithms to detect deepfakes, no one can offer 100% assurance that even the best biometric algorithms can prevent all deepfake attempts. And people don’t even bother to use biometric algorithms if the people on the Zoom call LOOK real.
• While the ID card analysis vendors (and the ID card manufacturers themselves) are constantly improving their ability to detect fraudulent documents, no one can offer 100% assurance that a presented driver’s license is truly a driver’s license.
• Geolocation has been touted as a solution by some. But geolocation can be hacked also.

In my view, the best way to minimize (not eliminate) fraudulent authentication is to employ multiple factors. While someone could create a fake face, or a fake driver’s license, or a fake location, the chances of someone faking ALL these factors are much lower than the chances of someone faking a single factor.

You knew the pitch was coming, didn’t you?

If your company has a story to tell about how your authentication processes beat all others, I can help.