Security & Fraud

Why It’s Time To Retire Knowledge-Based Authentication

What was the make and model of your first car? What was your elementary school? What is your mother’s maiden name?

These are all questions that consumers have probably answered more times in the last 5-10 years than in every year of their life combined. Because in the era of digital services, one of the most common and accepted ways to validate a customer’s identity is simply to ask them questions that presumably only they could answer. Old addresses, schools, pet names, cars — all data points consumers are comfortable coughing up in case of an identity check during digital interaction.

And not just comfortable — extremely comfortable.  According to Philipp Pointner, chief product officer at Jumio, a full 90 percent of consumers are comfortable with simply answering knowledge-based questions when it comes to proving their identity.

But they really shouldn’t be.

Because as of this day in 2018, around 1.4 billion consumer records are exposed on the black market — and that’s just a tally from the past year.

And they’re more than exposed — the records are for sale on the black market. And because demand is high on the black market for consumer data, the trend of large institutions being hacked and looted for their consumer data cache is not on the decline.

“As an individual, you have to assume your data is already compromised,” Pointner said. In fact, consumers should assume their data is so compromised at this point that it is almost useless to use knowledge as an identity source. Said simply, the hackers at this point likely know a consumer’s data better than the consumer knows it. Consumers are complacent about this, he stated, because they trust that the institution has done its homework and is applying state-of-the-art security.

Which, Pointner noted, institutions are, because they are looking for alternatives to knowledge-based authentication (KBA). The industry agrees, he believes, that it has absolutely no future.

So if KBA is dead — or at least should be — what’s next? According to Pointner, a holistic approach to identity that looks at an entire consumer lifestyle instead of tying authentication to single moments and data points. How that works — and why it’s the future of FIs being sure of who is at the other end of their transactions — Pointner explains to Karen Webster in this week’s edition of Data Drivers.



The pressure on banks to modernize their payments capabilities to support initiatives such as ISO 20022 and instant/real time payments has been exacerbated by the emergence of COVID-19 and the compelling need to quickly scale operations due to the rapid growth of contactless payments, and subsequent increase in digitization. Given this new normal, the need for agility and optimization across the payments processing value chain is imperative.