Dynamic KBA
Overview
Dynamic KBA verifies identity by generating challenge questions from real financial, property, and public record history (via LexisNexis), then validating the user's answers. No document or device required. Typically used as a fallback or step-up when phone-based or document-based methods are unavailable.
Level of Assurance
Medium — knowledge-based corroboration. No possession or biometric factor.
User Friction Level
Medium — PII form + 4–5 multiple choice questions. Most users complete in under 2 minutes.
End User Requirements
US-based identity with sufficient credit and public record data. Knowledge of personal history (historical addresses, financial accounts, etc.). DOB required; SSN optional but improves match rate.
Speed
Real-time — questions generated in seconds; user-dependent for answers.
Supported Countries
United States only.
Use Cases & Fraud Prevention
- Fallback when the user cannot provide a government ID or does not have a registered mobile phone.
- Step-up from MobileMatch when PII cannot be corroborated via carrier data.
- CIP compliance — knowledge-based verification meets regulatory requirements in applicable contexts.
- Mitigates: synthetic identity fraud (fabricated identities lack real financial history), data breach exploitation (dynamic questions are harder to answer from stolen static data alone).
How It Works
The user submits their name, address, and date of birth (plus optional SSN). LexisNexis looks up the user in its records (test.discovery). If found, 4–5 dynamically generated multiple-choice questions are presented — drawn from financial, property, and education history. The user answers within the configured time limit.
Velocity checks enforce attempt limits. One retry with a new question set is available by default.
- All three assertions pass →
approve - Any assertion fails →
deny
The three assertions are sequential dependencies: test.discovery must pass for test.velocity to run; both must pass for questions to generate.
Configuration Options
Template Variations
- Standard KBA — dynamic questions, no SSN required (default)
- KBA + SSN collection — optional SSN input significantly improves match rate for thin-record users
Optional Add-ons
- Persistent ID (LexID) — assigns a stable cross-session identifier on approval
Integration: Gateway (OIDC)
Standard OIDC flow. See Gateway (OIDC) Integration. Questions are rendered in the ID Dataweb hosted UI — no question rendering required in your application.
Step-by-step Setup
- Navigate to the Workflow page in the Admin Console and deploy a workflow that includes Dynamic KBA.
- For testing, contact your ID Dataweb team to configure the "no velocity" data source on the preproduction endpoint.
Integration: ID Dataweb API
Dynamic KBA uses two /slverify calls: one to submit PII and receive questions, and one to submit answers.
sequenceDiagram
participant App as Your Application
participant IDW as ID Dataweb API
participant User as End User
Note over App,IDW: forwardApiKey from Session Risk = KBA step key
App->>IDW: POST /slverify (KBA key + PII + optional SSN)
IDW-->>App: forwardApiKey₂ + KBA questions
App->>User: Display KBA questions
User->>App: Submit answers
App->>IDW: POST /slverify (answer key + user answers)
IDW-->>App: policyDecision (approve or deny)
API Prerequisites
- Deploy the "KBA" Workflow by following the directions here.
- Obtain the access keys for your new workflow by following the directions here
- Download and use the KBA Postman Project to try it out
API Reference
KBA Config
KBA Config — Request:
```javascript
var data = {
"apikey": "YOUR_KBA_API_KEY", // -- obtained from step 1.1 --
"credential": "[email protected]",
"appID":"YOUR_APPLICATION_NAME",
"asi": "xxxxx-xxxx-xxxx-xxxx-xxxxx", // -- obtained from step 1.1 --
"userAttributes": [
{
"attributeType": "FullName",
"values": {
"fname": "John",
"mname": "",
"lname": "Smith"
}
},
{
"attributeType": "InternationalAddress",
"values": {
"country": "US",
"administrative_area_level_1": "CA",
"locality": "Vienna",
"postal_code": "12345",
"route": "May Street Town",
"street_number": "1234"
}
},
{
"attributeType": "DOB",
"values": {
"day": "10",
"month": "01",
"year": "1985"
}
}
]
}
var axios = require('axios')
var token = 'YOUR_BEARER_TOKEN' // -- see step 1 --
var request = async () => {
var response = await axios({
url: 'https://api.preprod.iddataweb.com/v1/kba/config',
method: 'post',
data: data,
headers: {
'Content-Type': 'application/json',
'Cache-Control': 'no-cache',
Authorization: 'Bearer ' + token,
}
})
var result = response.data
var questions = result.kbaQuestions.QuestionSet.Questions
console.log(result)
console.log(questions)
}
request();
```
<br />
### KBA Config — Response:
```json
{
"hasNext": false,
"asi": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx",
"errorCode": null,
"status": "success",
"message": null,
"userAttributes": null,
"acquiredAttributes": [
{
"provider": "Lexis Nexis",
"serviceOffering": "LexisNexis KBA",
"attributeType": "LexID",
"dateCreated": "09/08/2022 12:55:04",
"values": {
"lexID": "Not Provided"
}
}
],
"userAssertionList": [
{
"provider": "Lexis Nexis",
"serviceOffering": "LexisNexis KBA",
"dateAsserted": "09/08/2022 12:55:04",
"assertions": {
"test.velocity": "pass",
"test.discovery": "pass",
"test.KnowledgeBasedAuthentication": "unverified"
}
}
],
"kbaQuestions": {
"ConversationId": "31017794510665",
"QuestionSet": {
"QuestionSetId": 5169006631,
"Questions": [
{
"QuestionId": 14652579931,
"Key": 1010,
"Type": "singlechoice",
"Text": {
"Statement": "Which of the following addresses have you ever been associated with?"
},
"HelpText": {
"Statement": "The addresses listed may be partial, misspelled or contain minor numbering variations from your actual address"
},
"Choices": [
{
"ChoiceId": "79228485321",
"Text": {
"Statement": "11431 147th Street"
}
},
{
"ChoiceId": "79428485331",
"Text": {
"Statement": "123 Pinewood Street"
}
},
{
"ChoiceId": "79228285341",
"Text": {
"Statement": "208 East Dean Street"
}
},
{
"ChoiceId": "79228585351",
"Text": {
"Statement": "26 Mountainview Avenue"
}
},
{
"ChoiceId": "79228685361",
"Text": {
"Statement": "I have never been associated with any of these addresses"
}
}
]
},
{
"QuestionId": 14632879941,
"Key": 1020,
"Type": "singlechoice",
"Text": {
"Statement": "Which of the following street addresses in Schenectady have you ever lived at or been associated with?"
},
"HelpText": {
"Statement": "The addresses listed may be partial, misspelled or contain minor numbering variations from your actual address"
},
"Choices": [
{
"ChoiceId": "79228385371",
"Text": {
"Statement": "12 Main Street"
}
},
{
"ChoiceId": "79226485381",
"Text": {
"Statement": "1863 Foster Avenue"
}
},
{
"ChoiceId": "79228475391",
"Text": {
"Statement": "205 Morris Road"
}
},
{
"ChoiceId": "79528485401",
"Text": {
"Statement": "215 Shereen Court"
}
},
{
"ChoiceId": "79328485411",
"Text": {
"Statement": "None of the above or I am not familiar with this property"
}
}
]
},
{
"QuestionId": 14652879951,
"Key": 5401,
"Type": "singlechoice",
"Text": {
"Statement": "Which of the following colleges have you attended?"
},
"HelpText": {
"Statement": "Select the college you have attended."
},
"Choices": [
{
"ChoiceId": "79224485421",
"Text": {
"Statement": "Allan Hancock College"
}
},
{
"ChoiceId": "79228685431",
"Text": {
"Statement": "Cuesta College"
}
},
{
"ChoiceId": "79228485441",
"Text": {
"Statement": "Emory University"
}
},
{
"ChoiceId": "79228475451",
"Text": {
"Statement": "St. Norbert College"
}
},
{
"ChoiceId": "79268485461",
"Text": {
"Statement": "None of the above"
}
}
]
}
]
}
}
}
```Step-by-step Setup
- Use the
forwardApiKeyfrom Session Risk as the KBA step key. - Submit PII in the first
/slverifycall — the response contains the questions and a newforwardApiKey. - Display questions to the user and collect answers in your application UI.
- Submit answers in the second
/slverifycall using the answerforwardApiKey. - Implement velocity tracking in your application — if the user hits the limit (3+ failures or 6+ question generations in 7 days), route to an alternate verification method.
Contact your ID Dataweb team for the Dynamic KBA Postman Collection with preproduction credentials and no-velocity data source configuration.
Configuration Options — API-specific
Policy Components & Assertions
| Assertion | What it checks |
|---|---|
test.discovery | User found in LexisNexis records |
test.velocity | User has not exceeded attempt limits |
test.KnowledgeBasedAuthentication | User answered the required number of questions correctly |
All three must pass for policyDecision = approve. They run as sequential dependencies — discovery must pass before velocity runs; both must pass before questions are generated.
Velocity thresholds (default): 3+ failed answer attempts or 6+ question generation requests within 7 days triggers a lockout for that identity.
Error Handling & Troubleshooting
test.discovery = Fail: User not found in LexisNexis records — check PII accuracy, ensure DOB is correct, consider enabling SSN collection. Thin-record users (young, recently moved, limited credit history) will frequently fail discovery.test.velocity = Fail: Attempt limit hit — do not retry. Route to Government ID and Selfie Match or an alternate method.test.KnowledgeBasedAuthentication = Fail: Wrong answers — consider Government ID and Selfie Match for users with thin financial/property history.- Check LexisNexis transaction event codes in the Transaction Report for detailed failure codes (e.g.,
individual_not_located,failed_iauth_questions,denial_cumulative_transaction_activity_frequency). - Preproduction testing requires a "no velocity" data source configuration — contact your ID Dataweb team.
Testing in Preproduction
Testing Options
- Gateway (Try Now): Admin Console with KBA test data. Requires "no velocity" data source configuration — contact your ID Dataweb team.
- API: Contact your ID Dataweb team for the Dynamic KBA Postman Collection with preproduction endpoint and no-velocity configuration.
Test Credentials and Values
| Scenario | Input | Expected Result |
|---|---|---|
| Approve | Andrew Roshell — select bottom-most answer to all questions | approve |
| Deny | Andrea Roshell — select top-most answer to all questions | deny |
Step-by-step How to Test
- Approve: Enter Andrew Roshell data → questions generated → select the bottom-most answer for every question → expect
approve. - Deny: Enter Andrea Roshell data → questions generated → select the top-most answer for every question → expect
deny. - Requires "no velocity" data source in preproduction — contact [email protected] to configure.
Interpreting Results
policyDecision = approve when all three assertions pass: discovery, velocity, and KnowledgeBasedAuthentication.
policyDecision = deny when any assertion fails. Check the failed assertion and LexisNexis transaction event codes in acquiredAttributes for specific failure reasons.
Related Resources
→ NIST IAL2 | → Government ID and Selfie Match | → Session Risk | → Dynamic KBA - LexisNexis Checker | → Gateway (OIDC) Integration
Updated 2 days ago