In knowledge-based authentication (KBA), an organization questions a user for particular personal information. Such questions may include “when were you married?”, “what was the make and model of your first car?”, and “what was the name of your first pet?”. The user must answer the question correctly in order to prove to the organization that he or she is not an imposter.
A conventional KBA service provider forms the questions that an organization presents to users from data acquired through an information source. Examples of a suitable information source include credit bureaus, public records, and corporate data. The conventional KBA service provider forms a set of questions from a suitable information source.
Along these lines, suppose that a conventional KBA service provider retrieves emails from a Microsoft Exchange® server. When an organization wishes to authenticate a user within the organization, the KBA system retrieves an email to the user discussing a meeting with another person at a particular time and place. The KBA system forms questions from data in the email (e.g., “With whom did you meet in Conference Room A at 10 AM last Thursday?”).