Anil John
Making Digital Services Secure and Trustworthy

Anil John

What are KBA Metrics?

 Tweet  Share  Share  Comment  Print  Email

There is currently a discussion going on in the Identity Ecosystem Steering Group (IDESG) regarding knowledge based authentication (KBA) metrics. I am a bit unsure about what is being sought by the IDESG from a standards development organization (SDO). This blog post is an attempt at framing the questions, as I understand them, to determine if there is value here, or if it is the application of makeup to porcine livestock.

Currently, there is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing […] In order to help establish a common understanding of KBA and remote identity proofing services, it is proposed that standardized approaches are developed to:

1) determine the accuracy and efficacy of KBA and remote proofing techniques. This may include requirements for the currency and validity of the information used in the proofing or the development of the KBA questions; and

2) report failure rates of KBA systems. In addition to standardizing validity criteria for data and processes used in the proofing process or KBA question development, this standard will establish reporting requirements for false acceptance, false rejections, and failure to enroll.

Performance metrics for knowledge based authentication (KBA) for remote identity proofing

My first impression when I read the above was that there are too many items at varying levels of granularity (remote identity proofing, what is KBA, KBA questions, reporting etc.) being asked for. And it feels as though 'remote identity proofing' and 'KBA' are being conflated.

So, in generating questions, zooming out and considering the steps needed to 'identity proof’ someone may be helpful:

  1. Establishing the uniqueness of an individual within a population (Identity Resolution)
  2. Confirming the accuracy of identity information claimed by an individual (Identity Validation)
  3. Confirming that the claimed identity information is linked to the individual making the claim (Identity Verification)

The above steps tend to be independent of delivery channel or type of encounter (in-person vs. remote). So I would drill deeper into each bucket to see what is metrics-worthy in each bucket:

Identity Resolution
Identity Validation
Identity Verification
  • This can range from in-person visual checks to what folks typically mean when they speak of KBA i.e. use of out-of-wallet questions
  • I would expect to find a lot of intellectual property tied up around this particular area that vendors may be unwilling to part with
  • There may be innovative approaches that are not in common practice and understanding the various trade-offs associated with each would be helpful

My sense, from the above, is that there is definite value in more studies, rigorous analysis and in establishing quantitative criteria that would allow an RP to evaluate the identity resolution capabilities of competing offerings. As to identity validation, I would put my energy around implementing a public sector identity validation service instead of chasing the chimera of the value of transaction exhaust! And I am interested in innovative approaches to identity verification but remain open to being surprised regarding the availability of open data studies on the topic.

Question: What innovative approaches to remote identity verification exist, and are being used in the market right now?

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone