How Secure Are Static KBA Security Questions?

We have all had to answer them: What is your mother’s maiden name? What is your favorite color? What is the name of your first pet? And the list goes on. These types of security questions are what we call static knowledge-based authentication (KBA). Static KBA has been used by banks and financial institutions for years as way to authenticate a customer in addition to a username and password. Typically, when setting up an online account, an organization using static KBA will produce a set of personal questions and have the user supply the answers. They then store this information for when the consumer logs back into their account and needs to be authenticated. However, according to a recent study by Google, static KBA is simply not enough.

In the study, Google looked at hundreds of millions of these static security questions and their answers from users attempting to recover accounts and found that the questions were “neither secure nor reliable enough to be used as a standalone account recovery mechanism”. For example, for English speaking users, guessing “pizza” for the question, “What is your favorite food?” would get you through a whopping 20% of the time. The study also found that 37% of users simply fake the answers by using the same response no matter what the question.

Static KBA also does nothing to stop fraudsters, who have purchased identity information on the black market, from opening an account in the stolen identity’s name and merely fabricating the security questions upon account creation. This is why it is important to employ more than static KBA in your identity verification and fraud prevention program. The reliance on static KBA is ending as criminals gain more access to identity information and as people’s social media footprints increase. A consumer’s personal information (i.e. high school attended, pet’s name, spouses name, etc.) will be easier to access and static KBA will continue to become even less reliable. This, in addition to regulatory guidance in certain industries requiring higher levels of authentication, is making it necessary for organizations to enhance their authentication processes

The Benefits of Dynamic KBA

Dynamic KBA is a high-level verification that also uses knowledge-based questions to verify each individual identity; however, this method requires no previous contact. Why? Because dynamic KBA generates real-time, on the fly questions based on the consumer’s aggregated data file. These questions make it extremely difficult for a fraudster to know and correctly answer the questions. Enhanced KBA goes a step further by allowing institutions to use their own proprietary data to generate questions for individuals.

However, as more and more personal identifiable information is stolen, the key is to not only layer in various level of verification based on individual risk profiles, but also to wrap your customer authentication program around a robust and collaborative fraud prevention platform.

IDology provides a simple, non-intrusive and multi-layered method to test an individual’s identity while also improving customer service and preventing fraud. To learn more about IDology’s ExpectID IQ solution and schedule an online demonstration, contact an IDology representative today at (866) 520-1234.

Learn more about IDology’s Collaborative Fraud Network in this 2 minute video:

Stop fraud while not adding additional friction for legitimate customers with multi-layered identity verification:



Christina Luttrell for MEDICI