When you set up a new account, you are often asked to create a password and choose a security question and answer (e.g., What is your mother's maiden name?). Answering security questions based on personal information when you log in to an app or system is called knowledge-based authentication (KBA). While KBA is still widely used, people freely share the same information on social media sites, reducing its security value.
Passwords are also shared, stolen or figured out with password cracking tools. A 2020 study by the Digital Shadows Photon Research Team found that 15 billion stolen credentials, including username-password combinations, were available on the dark web. Because a user's password and KBA can both be obtained by bad actors, enterprises relying on those weak authentication methods need to reinforce them with more secure methods. It's like reinforcing a flimsy screen door with a solid door and deadbolt to keep your home safe.
Read on to learn more about KBA, its uses, limitations and reinforcements.