Loading...

Knowledge Based Authentication (KBA) best practices, Part 3

Published: December 14, 2009 by Guest Contributor

–by Andrew Gulledge

General configuration issues

Question selection– In addition to choosing questions that generally have a high percentage correct and fraud separation, consider any questions that would clearly not be a fit to your consumer population. Don’t get too trigger-happy, however, or you’ll have a spike in your “failure to generate questions” rate.

Number of questions– Many people use three or four out-of-wallet questions in a Knowledge Based Authentication session, but some use more or less than that, based on their business needs. In general, more questions will provide a stricter authentication session, but might detract from the customer experience. They may also create longer handling times in a call center environment. Furthermore, it is harder to generate a lot of questions for some consumers, including thin-file types. Fewer Knowledge Based Authentication questions can be less invasive for the consumer, but limits the fraud detection value of the KBA process.

Multiple choice– One advantage of this answer format is that it relies on recognition memory rather than recall memory, which is easier for the consumer. Another advantage is that it generally prevents complications associated with minor numerical errors, typos, date formatting errors and text scrubbing requirements. A disadvantage of multiple-choice, however, is that it can make educated guessing (and potentially gaming) easier for fraudsters.

Fill in the blank– This is a good fit for some KBA questions, but less so with others. A simple numeric answer works well with fill in the blank (some small variance can be allowed where appropriate), but longer text strings can present complications. While undoubtedly difficult for a fraudster to guess, for example, most consumers would not know the full, official and (correct spelling) of the nameto which they pay their monthly autopayment. Numeric fill in the blank questions are also good candidates for KBA in an IVR environment, where consumers can use their phone’s keypad to enter the answers.

Related Posts

Learn how you can proactively fight credential stuffing attacks and protect your organization and customers.

Published: December 18, 2024 by Laura Burrows

Bots have been a consistent thorn in fraud teams’ side for years. But since the advent of generative AI...

Published: December 17, 2024 by James Craddick

Learn how background screeners can optimize pre-employment verification processes, reduce fraud risks, and ensure compliance.

Published: December 12, 2024 by Theresa Nguyen