In my last post I discussed the problem with confusing what I would call “real” Knowledge Based Authentication (KBA) with secret questions. However, I don’t think that’s where the market focus should be. Instead of looking at Knowledge Based Authentication (KBA) today, we should be looking toward the future, and the future starts with risk-based authentication.
If you’re like most people, right about now you are wondering exactly what I mean by risk-based authentication. How does it differ from Knowledge Based Authentication, and how we got from point A to point B? It is actually pretty simple. Knowledge Based Authentication is one factor of a risk-based authentication fraud prevention strategy. A risk- based authentication approach doesn’t rely on question/answers alone, but instead utilizes fraud models that include Knowledge Based Authentication performance as part of the fraud analytics to improve fraud detection performance. With a risk-based authentication approach, decisioning strategies are more robust and should include many factors, including the results from scoring models.
That isn’t to say that Knowledge Based Authentication isn’t an important part of a risk-based approach. It is. Knowledge Based Authentication is a necessity because it has gained consumer acceptance. Without some form of Knowledge Based Authentication, consumers question an organization’s commitment to security and data protection. Most importantly, consumers now view Knowledge Based Authentication as a tool for their protection; it has become a bellwether to consumers.
As the bellwether, Knowledge Based Authentication has been the perfect vehicle to introduce new and more complex authentication methods to consumers, without them even knowing it. KBA has allowed us to familiarize consumers with out-of-band authentication and IVR, and I have little doubt that it will be one of the tools to play a part in the introduction of voice biometrics to help prevent consumer fraud.
Is it always appropriate to present questions to every consumer? No, but that’s where a true risk-based approach comes into play. Is Knowledge Based Authentication always a valuable component of a risk based authentication tool to minimize fraud losses as part of an overall approach to fraud best practices? Absolutely; always.