Knowledge-based authentication (KBA)

KBA asks the user to answer questions based on their past—like previous addresses, car loans, or the name of a former employer. This information is pulled from credit bureaus or other data aggregators. It is considered a "something you know" authentication factor and is most commonly used in financial services, government portals, and account recovery flows.

Dynamic KBA generates questions in real time based on up-to-date information rather than using pre-set questions like “mother’s maiden name.” These real-time questions (e.g., “Which of these streets have you lived on?”) are harder to guess or phish for and provide a higher level of security—though not immune to breaches, especially if the underlying data has been compromised in leaks.

KBA is increasingly viewed as outdated because much of the “secret” data used can be exposed through social media, public records, or data breaches. Users often fail to remember the exact details, leading to friction. Additionally, it doesn’t work well for people with thin or non-existent credit histories (e.g., younger users or those in underserved markets). As a result, many companies are replacing KBA with stronger methods like biometrics or multi-factor authentication (MFA).