Dynamic KBA
Checker Category: Identity — Knowledge
Used In Steps: Dynamic KBA
Used In Workflows: Continuous Re-Authentication, Adaptive MobileMatch
Supported Countries: United States
Overview
What It Provides
Generates dynamic knowledge-based authentication questions from LexisNexis data (credit and public record history), then validates the user's answers. Questions are unique to each user and difficult for fraudsters to answer.
End User Requirements
Knowledge of personal history (addresses, financial accounts, etc.). US-based identity with sufficient credit/public record history.
Role in Layered Verification
Confirms user has personal knowledge consistent with claimed identity. Step-up/fallback when phone-based verification unavailable. Weaker than biometric but doesn't require device or document.
Input Attributes
Output Assertions
Assertions
| Assertion Name | Assertion Key | Description |
|---|---|---|
| KBA Outcome Check | test.KnowledgeBasedAuthentication | Returns the outcome of the knowledge-based authentication (KBA) process. Passes if the person correctly answers KBA challenge questions; fails if they do not. |
| KBA Eligible Identity Check | test.discovery | Confirms that the person's identity can be located in records, allowing KBA questions to be generated. Passes if the identity is found; fails if the person cannot be located. |
| KBA Outcome Check | test.kbaTransactionStatus | Returns the status of the KBA transaction. Passes if the transaction status is successful; fails otherwise. |
| KBA Attempt Velocity Check | test.postIDVelocity | Assesses whether the user has exceeded the allowed frequency for KBA attempts or failed too many assessments within a given period. Passes if both activity and failure rates are within acceptable limits; fails if either threshold is exceeded |
| KBA Re-Attempt Velocity Check | test.preIDVelocity | Assesses whether the same identity data has been resubmitted too soon after a previous failed KBA attempt. Passes if the resubmission rate is within acceptable limits; fails if the identity data has been retried too recently after a prior failure. |
| KBA Excessive Attempts Check | test.velocity | Assesses whether an excessive number of KBA attempts have been made using the same personally identifiable information (PII). Passes if the number of attempts is within acceptable limits; fails if the threshold is exceeded. |
Configuration Options & Decisions
Testing & Expected Results
Requires 'no velocity' data source configuration for testing (contact [email protected]). Andrew Roshell = approve (select bottom-most answer to all questions). Andrea Roshell = deny (select top-most answer). See testing-kba-only.
Notes on Best Practices, Limitations & Requirements
US only. Requires sufficient credit/public record history to generate questions — thin-file users may not generate enough questions.
[SOURCE: https://docs.iddataweb.com/docs/lexis-nexis-kba]
Related Resources
→ Dynamic KBA Step | → Continuous Re-Authentication WF | → Adaptive MobileMatch WF | → Authoritative DB (LN InstantID) | → Intro to Checkers
Updated 2 days ago