Products

Electronic signing and identification solutions for all types of organizations.

Electronic Signature

Send out contract in seconds.

Digital Identifying

Remotely verify identities.

Pricing

See and compare various packages and prices.

Integrations

API

Easily integrate Signhost into your own system with our REST API.

Mobile App

Sign and send documents quickly, easily and securely with the Signhost app.

Third-Party Integrations

Find out whether Signhost integrates with the third-party software you currently use.

Documentation

Go to our REST API documentation.

Pricing

Insights

Blog

Read more about digital signatures and e-identification subjects.

FAQ

Find answers to common inquiries about our e-signature and e-identification solutions.

Glossary

Explore key terms related to digital signatures and digital identification.

Company

About us

Signhost is Entrust's cloud signing and identification solution.

Entrust

The global leader in identities, payments, and digital infrastructure.

What is Knowledge-Based Authentication (KBA)?

Knowledge-based authentication (KBA) is an identity verification method that uses a series of personal questions to prevent unauthorized access. This method is based on the premise that only a legitimate account holder would know the answers to the questions asked.

Purpose of KBA

Objective

The objective of KBA is to authenticate an individual’s identity remotely and securely. KBA questions verify that the individual attempting to access a service is who they claim to be.

Benefits

Fraud prevention: KBA helps prevent fraudulent activities and identity theft by requiring users to provide information that an attacker would not easily know.
Secure access: It adds an extra level of security beyond login credentials. Even if an attacker gets a hold of the legitimate user’s account information, they would still need to pass the security questions before gaining access.
Regulatory compliance: KBA practices can help companies comply with data protection laws and regulations in the EU, such as eIDAS 2.0, PSD2, AML Directives and GDPR.

Types of KBA

Static

Static KBA is among the most widely used security practices, using knowledge that remains true and doesn’t change. It includes questions such as:

What is your mother’s maiden name?
What was the name of your first pet?
What is the street name of the house you lived in as a child?

During account creation, the user chooses which static KBA question(s) to answer. Their answers are stored in the database and retrieved when identity verification is required. Static KBA has its vulnerabilities as answers can be easily obtained through online search.

Dynamic

Dynamic KBA methods generate questions based on the user’s credit history, marketing databases and behavioral patterns. This means that the answers can change between transactions. Examples include:

Which city did you make your last online purchase from?
What was the amount of your last bank transfer?
Which category of products do you often buy online?

These questions are created dynamically using data linked to an account number. Compared to static KBA, these questions are less easy to guess or uncover through social engineering or online research by criminals.

There is a narrow chance that this information might be publicly available, such as in the case of data leaks.

Enhanced

Enhanced KBA methods use a combination of static and dynamic practices to create personalized security questions. This data is gathered from proprietary and third-party data sources and stored behind firewalls, offering a robust ID verification solution.

How KBA works

KBA works by storing each user’s personal information in a database during account setup. At this stage, the user may choose a security question to answer in the future, or questions may be dynamically generated based on the KBA method used.

When a user attempts to log into an account or perform a transaction, the system prompts them to answer a series of questions. Access is granted only if the answers match the responses stored in the system. If the answers are incorrect, the login attempt is flagged as unauthorized.

Typically, KBA questions are not prompted on each login. They are triggered when specific criteria raise concern about the user’s identity. These include logging in from an unrecognized device or performing a high-risk transaction. It depends on how broadly the method is implemented in the system.

Advantages and disadvantages

Advantages

Ensures resilience against password theft and brute force attacks
Adapts to different environments, allowing companies to customize authentication based on data sensitivity and user privileges
Allows continuous authentication, prompting users after set intervals to revalidate their identity during a session
Less expensive compared to its alternatives, such as biometrics and hardware tokens
Can be used across platforms and devices without compromising security

Disadvantages

Answers may be uncovered through online research, especially in the case of static KBA
Possible vulnerabilities in data sources used to create dynamic KBA questions
Wrongful lockouts as a result of users finding it difficult to remember the answers they gave
Social engineering attacks, such as phishing and impersonation, targeting KBA information

KBA use cases

KBA software is commonly used by financial, healthcare, e-commerce and other organizations that manage customer assets or store confidential information. It is typically integrated into the following processes:

Onboarding: To answer security questions during initial account setup, which will be used for identity verification in the future.
Logging in: While logging in from unrecognized devices or networks.
Performing high-risk transactions: To authorize transactions involving high-value purchases and fund transfers.
Accessing information: To verify customers’ identities when accessing sensitive information or making critical decisions.

*Disclaimer: This content does not constitute legal advice. The suitability, enforceability or admissibility of electronic documents will likely depend on many factors such as the country or state where you operate, the country or state where the electronic document will be distributed as well as the type of electronic document involved. Appropriate legal counsel should be consulted to analyze any potential legal implications and questions related to the use of electronic documents.