KBA often relies on the same personal information exposed in most data breaches.
High-profile data breaches regularly make headlines, which means KBA data is regularly exposed and openly sold on the dark web.
“Knowledge-based authentication, based on questions derived from PII, is no longer reliable.”
Information used to craft KBA questions can also often be found online — a quick social media search can reveal the name of your pet or the name of your oldest nephew.
“16 percent of security questions had answers routinely listed publicly in online social networking profiles.”
Secrets, Lies, and Account Recovery, Google Survey
Regulators are now increasingly calling for stronger, more robust methods of authentication.
The National Institute of Standards and Technology (NIST) no longer endorses security questions and answers as a secure authentication method.
20 percent of users forget the answers to their security questions within six months. This creates the need for re-verification and results in user frustration.
“Businesses must assume that fraudsters have the exact same knowledge of personal information as their customers.” PINDROP