If the identity you’re protecting is important, knowledge-based authentication (KBA) isn’t sufficient to protect it. There’s an example of a KBA failure that I originally discussed in 2024 in a “The Wildebeest Speaks” article, but since I’m citing it again on LinkedIn I might as well mention it here.
Consider the following four criteria:
- The person is a famous musician.
- The person uses a particular first and last name.
- The person is of a particular nationality.
- The person plays a particular musical instrument.
That’s not enough to identify an individual.
Just ask the famous musician Mick Jones, the English guitarist.
Here he is (on the left) playing guitar for the song “Urgent.” (Or, more accurately miming to a previous recording. The recording included Junior Walker and Thomas Dolby, but the video did not.)
And here is Jones again, playing guitar and singing “Should I Stay Or Should I Go.”
“Wait a minute, John!” you’re saying. “Those are two different bands and two different people!”
Right.
And for those who thought all the members of Foreigner were American…
“By 1974 we found in Spooky [Tooth] that we were getting a better reception in the States than back home in Britain, so made a collective decision to relocate to New York….
“[After Gary Wright quit Spooky Tooth] I [Mick Jones the English guitarist] was left high and dry in New York, and without a clue as to what my next move was going to be. I seriously considered returning to England and starting over a whole new career, such as going to medical school or becoming a dentist. The second option was the most attractive to me, because it took less time to qualify and paid good money.”
But dentistry’s loss was music’s gain, as Jones assembled two other British people and three Americans into a band called Foreigner.
And considering that the other Mick Jones was kicked out of the Clash, we can figure out how THAT band got its name.
Anyway, “Mick Jones the English guitarist” remains my favorite example of a knowledge-based authentication failure.
Because you need multiple ways to verify and authenticate identities. I should know.
Bredemarket 