I want to help clear up some confusion in the market about the updated FFIEC guidelines as they relate to out of wallet challenge questions. Here are terms (and their origins) that you might hear in reference to out of wallet solutions and meeting the FFIEC guidelines:
- Out-of-Wallet Questions – this came about based on the type of data being used to generate authentication questions. Out of Wallet questions are designed so that if someone were to steal your wallet, they could not use the information to answer any questions. The questions that are used are multiple-choice. (FFIEC guidelines state these to be an effective authentication technique)
- Challenge Questions – the term the FFIEC uses to describe the questions Banks and others present to consumers when they forget their password. Challenge questions are more commonly known as Shared Secrets.
- Shared Secrets –Shared Secrets is slang for a piece of information a consumer shares with the business. Shared secrets take the form of questions that the consumer picks out and provides and answer to after an account has been established. Shared Secrets is what describes all the questions most people are familiar with in their online banking systems such as questions about mother’s maiden name, favorite pet, high school etc. Shared secrets are limited to how many questions the consumer selects and what answers the consumer provides. Shared secret questions are not multiple-choice. (FFIEC guidelines indicate these are not safe for a Bank anymore)
- Knowledge based authentication (KBA) – really this means using something someone knows as a way of verifying their identity. However, most people use KBA as a synonymous term for shared secrets. KBA is used in multi-factor authentication to satisfy the “something you know” component (going beyond just knowing a password).
- Static KBA – another name for Shared Secrets, because the something you know never changes, it’s static. You must have a prior relationship with someone to use static KBA because the consumer gives the Bank the questions/answers to store and call up when needed
- Dynamic Knowledge Based Authentication or Dynamic KBA – another name for out-of-wallet questions because the something you know changes and is not limited to what questions the consumer sets up. These questions are dynamically generated from lots of different data sources so you do not have to have a relationship with someone to use Dynamic KBA.
- Sophisticated challenge questions – introduced in the FFIEC updated guidelines as a way to describe out of wallet questions a.k.a. Dynamic KBA
- ID Quiz – used to describe out-of-wallet questions since these questions are provided in a quiz format with multiple choice answers.
Really, it doesn’t matter what you call “out-of-wallet questions”, only what it does – quickly verifies consumers in a way that reduces your risk of fraud.
For more term definitions in the identity authentication space, check out IDology’s new online glossary.