The End of Security Questions: Why KBA is Dead
March 12, 2025
•min read
Security Strategy
Figure 1: The decline of static knowledge credentials
The "Mother's Maiden Name" Paradox
For 30 years, banks and telcos have relied on Knowledge Based Authentication (KBA).
"What was your first car?"
"What street did you grow up on?"
In 2010, this was "secret" info.
In 2025, it's public domain.
The LLM Scraping Threat
Generative AI agents can now scrape 15 years of social media history in seconds.
- That photo of your first Honda Civic on Instagram (2014)? AI knows your first car.
- That "Throwback Thursday" post about your childhood home? AI knows your street.
Static vs. Dynamic Credentials
Passwords and Answers are Static. Once stolen (or guessed), they are valid forever until changed.
Voice is Dynamic.
- It cannot be stolen from a database.
- It requires "Liveness" to work.
- It changes subtly with time and context, making it impossible to "replay" effectively against modern detectors.
The Cost of Friction
Beyond security, KBA is the #1 cause of customer frustration.
- Average time to answer 3 KBA questions: 45-60 seconds.
- Failure rate: 15-20% (Legitimate customers forgetting answers).
- Voice Auth time: 3 seconds (Passive).
Moving Forward
The industry is shifting to "Inherence" factors (Who you are) over "Knowledge" factors (What you know).
If your security relies on your customer's memory, you're already hacked.
Upgrade to Biometrics.
Tags:
