Loading...

Knowledge Based Authentication (KBA) Best Practices, Part 4

Published: December 22, 2009 by Andrew Gulledge

–by Andrew Gulledge

Intelligent use of features

Question ordering: You want some degree of randomization in the questions that are included for each session. If a fraudster (posing as you) comes through Knowledge Based Authentication, for two or three sessions, wouldn’t you want them to answer new questions each time? At the same time, you want to try to use those questions that perform better more often. One way to achieve both is to group the questions into categories, and use a fixed category ordering (with the better-performing categories being higher up in the batting line up)—then, within each category, the question selection is randomized. This way, you can generally use the better questions more, but at the same time, make it difficult to come throughKnowledge Based Authenticationtwice and get the same questions presented back to you. (You can also force all new questions in subsequent sessions, with a question exclusion strategy, but this can be restrictive and make the “failure to generate questions” rate spike.)

Question weighting: Since we know some questions outperform others, both in terms of percentage correct and in terms of fraud separation, it is generally a good idea to weight the questions with points based on these performance metrics. Weighting can help to squeeze out some additional fraud detection from yourKnowledge Based Authenticationtool. It also provides considerable flexibility in your decisioning (since it is no longer just “how many questions were answered correctly” but it is “what percentage of points were obtained”).

Usage Limits: You should only allow a consumer to come through the Knowledge Based Authentication process a certain number of times before getting an auto-fail decision. This can take the form of x number of uses allowable within y number of hours/days/etc.

Time out Limit: You should not allow fraudsters to research the questions in the middle of aKnowledgeBased Authenticationsession. The real consumer should know the answers off the top of their heads. In a web environment, five minutes should be plenty of time to answer three to five questions. A call center environment should allow for more time since some people can be a bit chatty on the phone.

Related Posts

It’s critical for credit unions to understand the specific threats presented by life online and be prepared with a fraud detection and prevention plan

Published: April 13, 2021 by Alison Kray

Our worldwide survey explores the connection between recognition, fraud prevention and customer experience for our 2021 Global Identity and Fraud Report.

Published: April 8, 2021 by Alison Kray

The sharp uptick in fraud made it clear that banks, credit unions, and fintechs need to invest in a strategy that utilizes identity layers.

Published: March 30, 2021 by Alison Kray

Subscription title for insights blog

Description for the insights blog here

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Categories title

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.

Subscription title 2

Description here
Subscribe Now

Text legacy

Contrary to popular belief, Lorem Ipsum is not simply random text. It has roots in a piece of classical Latin literature from 45 BC, making it over 2000 years old. Richard McClintock, a Latin professor at Hampden-Sydney College in Virginia, looked up one of the more obscure Latin words, consectetur, from a Lorem Ipsum passage, and going through the cites of the word in classical literature, discovered the undoubtable source.

recent post

Learn More Image