Knowledge-based authentication (KBA) refers broadly to authentication methods that rely on private user information to secure access to a user secret or access to a remote resource. Examples of such user secrets include digital signatures, encryption keys, private computing resources, and private data such as credit card numbers. A commonly employed method of KBA hides user secrets using a password or PIN, and then requires exact reproduction of that password or PIN to recover the secret. Another KBA technique asks the user to demonstrate knowledge of recent computer activity or transactions before allowing access to further transactions. A disadvantage of the above methods is the strict requirement of the user memorizing and exactly reproducing a value that may not be memorable. In cases where the user forgets the exact password, for example, the user will typically require third-party intervention to reset or recover the password. This costs time, effort, and money. Authentication technologies employing hardware such as tokens also achieve high levels of security, but usually at an even higher implementation and support cost.
A potentially more convenient and user-friendly method of KBA asks the user a series of questions to help establish identity during an “enrollment” or initialization step. The user secret is then encrypted using the answers provided to these questions. To recall the secret the same set of questions is asked, and reproduction of the correct set of answers successfully authenticates the user. The set of questions might be personal questions for which the answers are memorable, and with answers that only the user is likely to know, e. g. “What is your mother's maiden name?” or “What was the name of your first pet?” Despite its convenience, this method of KBA may be less secure than some other data encryption technologies, making its implementation risky. The secret answers may be susceptible to dictionary attack, the answers to some user questions may be found in the public record, or the answers could be available at some cost or effort on the attacker's part.