Close this search box.

The Ins and Outs of Knowledge-Based Authentication for Identity Verification in Banking

Consumers lost over $5.8 billion to fraud in 2021, according to the Federal Trade Commission, and the threat is on the rise. Until financial institutions have a secure, reliable method for verifying account access and transactions, hackers remain ready to pounce. For banks and credit unions, securing data with additional layers of authorization is a regulatory requirement, and is one of the key pillars of Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance. The challenge for financial institutions is that end users expect a sign-in experience that is both secure and seamless. Here’s how Knowledge-Based Authentication (KBA) can deliver that experience. 

What Is Knowledge-Based Authentication? 

As a bank and credit union end-user, you have three ways to authenticate secure access:

  • Something you know, such as a password.
  • Something you have, like a key or token. 
  • Something you are, such as biometric data, from fingerprint scanning to voice recognition. 

Also referred to as Knowledge-Based Verification or Proofing, KBA requires the end user to provide the answer to an “out of wallet” question in order to access their account. Typically, this means answering a specific security question or confirming an address or phone number to progress. The theory is that while a hacker could steal a username and password in a data breach and use it for credential stuffing or other brute-force attacks, they won’t get their hands on the KBA solution because it is stored outside the system. 

The challenge to KBA is that hackers don’t always need a data breach as a source for their attacks. By cross-referencing data that most of us share openly on social media or through public records, and employing a little social engineering, hackers can often find the answers to KBA prompts without arousing suspicion. It’s why the National Institutes of Standards in Technology (NIST) has downgraded KBA from “strong” to “fair” as a security measure, and why banks and credit unions should complement KBA with other authentication methods. 

The Ins and Outs of How KBA Works

Knowledge-Based Authentication is the magic password or secret handshake of the digital world. There are two ways to determine what information the gatekeeper will require:

Static vs. Dynamic KBA

With static verification, the end user inputs the answers to security questions when they register for a service, usually from a drop-down menu of options. They will then be prompted to answer these security questions when they sign in. This system is simple but vulnerable, and it’s the reason why fraudsters create clickbait ads and quizzes on social media that promise to tell you what your mother’s maiden name, pet name or favorite sports team reveal about you. (Answer: Your login details.) 

Dynamic authentication, on the other hand, uses data mining. For example, the end user will be asked to confirm the value of a recent purchase, the name of a standing order payee or their current balance. In this case, the IT system uses gated data to create a security question, rather than repeating the same preset questions. It’s a more complex system for banks and credit unions to set up, but more robust. 

How Banks and Credit Unions Can Use Knowledge-Based Authentication

Financial institutions find themselves with a conundrum to solve. On the one hand, they want to be able to roll out personalized digital and mobile banking services to their end users, not least to compete with the growing number of mobile-only neobanks. At the same time, end users expect these services to be frictionless, allowing them to sign-in quickly, but without compromising on security. That leaves financial institutions with the following options:

Single Sign On authentication (SSO): e.g., password or PIN

  • Good: These can be saved automatically. 
  • Bad: Vulnerable to a data breach. 

Two-factor authentication (2FA): e.g., password then code sent by SMS 

  • Good: Locks out hackers who only have the password. 
  • Bad: Often it’s left as an optional level of security, and it can frustrate end-users. 

Third-party authentication 

The end user accesses their account through a trusted app or platform, often to make frictionless payments at checkout. 

  • Good: Solves the problem of leaving a shopping site to open a payment platform.
  • Bad: Poses a variety of compliance issues in relation to data storage. 

Token authentication

The end user needs a physical USB, fob or token, or a digital QR code to log in. 

  • Good: Very difficult to hack, especially from afar. 
  • Bad: Easy to lose. 

Biometric authentication, such as an iris scan, fingerprint scan or facial recognition

  • Good: Fast, frictionless and extremely secure. 
  • Bad: a complex system to operate from a bank perspective, and some traditional end users find biometrics rather sinister. 

Banks and credit unions do not have to use all of the above to secure account access. Indeed, doing so would probably deter end users entirely as it would significantly lengthen the login process. But KBA should certainly feature as part of a multi-factor defense, and it can be fortified behind the scenes with IP verification or device recognition, so that extra measures are triggered only when the end user attempts to sign in from an unrecognized device or location.

Authentication With Lumin Digital

With Lumin Digital, security protocols are already embedded into the cloud-native mobile app, leaving no gaps in the fence for hackers to slip through. Our solution supports KBA at log in without increasing friction, so you can add an extra layer of security without placing unnecessary obstacles in the end-user journey. Contact us today to learn more!


National Institutes of Standards in Technology (NIST) – Knowledge-Based Verification (KBV)

Idology – Knowledge Based Authentication: The Difference between Static, Dynamic & Enhanced KBA (Infographic)

National Institutes of Standards in Technology (NIST) – A Retrospective Look: Advancing standards for strong identity and authentication in the Identity Ecosystem