Knowledge vs. Biometric Based Authentication—The Not So Subtle Differences

November 10, 2020

For the past 20 years, proving an identity on the internet has been a massive challenge. The ability to reliably “know” someone is critical to multiple interactions, from protecting online customer accounts to meeting regulatory and compliance guidelines. Internally, organizations have struggled with striking a balance between security and providing customers with frictionless online access.

When it comes to establishing one’s identity, we can all agree on three things:

1) controlling access is the basis of all security,

2) digital identity is hard, and

3) friction burns.

The right people should be allowed in, and the wrong people kept out. This is done by identifying the person seeking access, and then checking that the person is authorized to enter.

Proving someone is who they say they are—especially remotely, via a digital service—is beset with opportunities for attackers to successfully impersonate someone. Digital identity is made more complex due to many technical challenges. Identification processes often involve establishing an individual’s identity over an open network, offering multiple opportunities for impersonation, and other attacks.

Implementing a verification or authentication process can be costly and add difficulties when customers are onboarding or logging in. These difficulties can create additional churn in already high-risk industries such as financial services or telecommunications. A complicated log-in process may provide more security, but it also adds friction. When that occurs, users will likely move on to different websites with lower friction, regardless of the reduced security. 

To fend off attackers, businesses around the globe generally rely on two identification methods—knowledge-based authentication (KBA) and multi-factor authentication—depending on their risk threshold, government regulatory requirements, and industry protocols. Let’s take a look at these methods.

 Knowledge-Based Authentication—VERIFIES who you are.

 Knowledge-based authentication is a method whereby organizations aim primarily to establish identity. That is, that the user is who they claim to be. Successful verification provides reasonable risk-based assurances that the individual accessing the service today is the same one who accessed the service previously.

 There are three types of KBAs, as we will see here.

Static KBA

A static KBA allows users to select security questions and provide answers that are stored by a company and accessed later, usually when a password needs to be retrieved or reset.

 For services in which return visits are applicable, an organization may simply collect the username, password, and security question.

Dynamic KBA

Dynamic KBA, in contrast, goes a step further by generating questions that apply only to the intended end user and do not require a previous relationship with the customer. These types of questions are also called “out-of-wallet” because the content is generated from information within a person’s credit history or public records. Therefore, the answers are not found in a wallet or purse, making it difficult for anyone other than the actual person to know the answer.

 Enhanced Dynamic KBA

Enhanced dynamic KBA expands on the basic dynamic process by creating custom security questions based on proprietary data that is stored behind a firewall. This could include a credit report, public records, or marketing data.

“Even as the overall number of fraud incidents fell between 2018 and 2019, the total amount of money lost to identity fraud was on the rise. Fraud losses in 2019 hit $16.9 billion last year.”  Javelin Report

 Biometric Authentication—PROVES who you are.

 Although verification does not prove a digital identity, multifactor authentication establishes that the individual attempting to access a digital service is indeed the person they say they are. When following the guidelines established by NIST Risk Management Framework [NIST RMF], multifactor authentication can protect the privacy of the individual while mitigating the cybersecurity risk for the business.

Through a frictionless multifactor authentication process, questions are asked that cannot be easily answered by imposters.

  • something you KNOW – password or security question
  • something you HAVE – government or school issued ID
  • something you ARE – biometrics

The key ingredient in this process is of course biometrics, which go beyond other forms of authentication, such as passwords. Biometrics evaluate data that are inherent to the user, such as facial features, finger/palm prints, retina features, and voice. Once authenticated, users’ credentials are with them forever, eliminating the need to carry a token or memorize passcodes, making the process frictionless. Less friction means higher adoption and ultimately less fraud, less churn, and better ROI.

The results of Javelin’s 2020 Identity Fraud Survey should serve as a wake-up call—one that will force institutions and businesses to reevaluate how identity fraud is managed. Multifactor authentication technology offers organizations new ways to help prevent identity fraud from affecting the lives of their customers and their businesses.

You may also like…