Knowledge-based authentication (KBA)

Knowledge-Based Authentication (KBA) is a method of identity verification that relies on questions only the legitimate user should be able to answer. These questions are typically derived from publicly available or proprietary databases tied to the user’s history.

About Knowledge-based authentication (KBA)

What is KBA?

KBA asks the user to answer questions based on their past—like previous addresses, car loans, or the name of a former employer. This information is pulled from credit bureaus or other data aggregators. It is considered a "something you know" authentication factor and is most commonly used in financial services, government portals, and account recovery flows.

What is dynamic knowledge-based authentication?

Dynamic KBA generates questions in real time based on up-to-date information rather than using pre-set questions like “mother’s maiden name.” These real-time questions (e.g., “Which of these streets have you lived on?”) are harder to guess or phish for and provide a higher level of security—though not immune to breaches, especially if the underlying data has been compromised in leaks.

What are the limitations of KBA in modern security?

KBA is increasingly viewed as outdated because much of the “secret” data used can be exposed through social media, public records, or data breaches. Users often fail to remember the exact details, leading to friction. Additionally, it doesn’t work well for people with thin or non-existent credit histories (e.g., younger users or those in underserved markets). As a result, many companies are replacing KBA with stronger methods like biometrics or multi-factor authentication (MFA).

Secure verifications for every industry

We provide templated identity verification workflows for common industries and can further design tailored workflows for your specific business.