Knowledge-Based Authentication
Knowledge-Based Authentication.
Verifying a user by asking questions whose answers only they should know — security questions ("first pet's name"), or dynamic KBA pulled from credit-bureau or public-records data.
KBA is the legacy primitive that won't quite die. Static security questions are trivially defeated by social-engineering and OSINT; dynamic KBA is defeated by the steady accumulation of breach data over the past decade — the credit-bureau questions an attacker would need to answer are exactly the data that's been leaked from credit bureaus. KBA's remaining role is as one weak signal in a multi-signal identity verification flow, never as a standalone factor.
Common questions
Are security questions still considered secure?
Is dynamic KBA stronger than static KBA?
Can KBA be used for MFA?
Related terms
In the guides
Account Recovery Design: The Most-Attacked Flow in CIAM
The recovery flow is the security floor of the entire auth system. Email magic link on a passkey-secured account is, structurally, an email-secured account. Design recovery deliberately.
Identity Verification and Proofing (IDV/KYC): A CIAM Guide for 2026
How to prove a real person matches a claimed identity at signup — document capture, liveness, authoritative-data checks. The 2026 stack, the deepfake escalation, and where CIAM ends.