How biometrics are keeping KBA alive
This is a guest post by Michael Hagen, corporate ID strategist and managing director of IDchecker, a Mitek Company.
Knowledge-based authentication (KBA) alone is out of touch with the reality of the online and mobile world. Five to 10 years ago, KBA was a good solution because fraudsters couldn’t find the answers to your selected security questions, but the Internet and social media have evolved much faster than KBA’s current solution offerings. To combat the vulnerability of KBA, one must institute a two-step authentication process that uses biometrics and KBA. A fraudster can find your password or “something you know”, but the code becomes harder crack when its paired with “something you have” like a driver’s license or even your own face for biometric analysis.
For many consumers, KBA means a struggle to remember selected security questions and in turn, a slow login process. According to Gartner research, KBA failure rates in the U.S. are on average 10-15 percent, and can go as high as 30 percent for some populations, including individuals without a lot of public data built up on them, such as those who are new to this country or young.
So why is KBA still the go-to authentication method for many businesses? KBA has been around for years, so consumers easily understand and are comfortable with the concept of answering security questions to access sensitive information. Passwords, secret questions and codes are part of our shared culture. In addition, generating KBA questions and answers is simple and free for manufacturers and consumers. KBA has become ingrained into the authentication processes of some of the largest institutional systems. Banks for example adopted it as a part of their login process. This made sense in years past, but with advancements in social media and continuous data breach announcements; it is too easy for hackers to use your social profile to fill in the answers to your security questions or buy them in bulk online.
In 2013, a massive date breach exposed KBA as a flawed means of authentication and resulted in the retrieved personal data being purchased and sold online. Experts then said that, “simply replacing knowledge based authentication is not a solution. Firms must adopt a multi-layered approach to identification and fraud detection”. To do this, consumers who wish to enroll in biometric authentication must go through a process to confirm and connect your face, voice and fingerprint to your profile. But, they don’t need any new devices or hardware because everything they need to start using biometrics (camera, recorder, fingerprint) is on their phone.
Consumers are more accepting of attributes or biometrics now, whereas four or five years ago they wouldn’t have considered using biometric attributes to verify their identity. Biometrics such as facial recognition, fingerprint scanning or voice recognition are perfect for the mobile age because they can be accessed with the capabilities of almost any mobile device and don’t add much time to the login process. In a recent study, 86 percent of Millennials said they are willing to take a few additional steps to verify their identity when opening an account or enrolling in a new service. The survey also found that Millennials also accept newer forms of identity verification like facial recognition (32 percent). Pairing these accepted biometrics with old-school KBA can create a secure user authentication process in the mobile channel and many top companies are integrating it. Recently, MasterCard announced that it is testing facial recognition and fingerprints as a method for approving an online purchase.
Multi-factor authentication is needed to reduce fraud to meet our modern needs. Using KBA as the only authentication process leaves businesses vulnerable to fraudsters who have learned to utilize the Internet. Many have already started to add these processes to better combat these fraudsters including Facebook and Twitter who have implemented multi-factor authentication login in an effort to make their websites more secure.
All businesses should add biometric authentication to their already existing KBA system to more securely protect their customers. A Frost & Sullivan study found that by 2019, biometrics will be a mature technology and will have naturally migrated to mobile devices. Also, the number of global biometrics smartphone users is expected to reach 471.11 million in 2017 from 43.23 million in 2013. This means that consumers are ready for businesses to take the extra step to protect their identify and won’t mind taking one extra selfie to login in to their back account.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.