You’ve likely been prompted with a question like “What was your mother’s maiden name?” when attempting to log into an account that contains personally identifiable information. Questions like this are commonly used to vet the identity of the account owner and prove that they are who they say they are. Knowledge-based authentication (KBA) is a component of the identity verification process that aides in systematically verifying end-user identities.
You may ask, “Why is this an important component of user onboarding?” Due to certain regulations, additional due diligence may be required to verify the identity of individuals wishing to conduct a financial transaction. In a previous blog post, we covered the ins and outs of our Customer Identification Program (CIP) and how this impacts Clients building applications that leverage the Dwolla Platform. In this post we’ll cover how KBA can benefit Dwolla Clients and what the KBA flow looks like, from an API perspective.
A common pain point we hear from clients surrounds onboarding their end users to the Dwolla Platform. Use cases that involve creating Verified Customer Records may involve multiple steps that requires interaction from the end user in order to complete verification. Once a client gathers and submits required information from an end user to Dwolla, the identity data is checked against information records. Depending on a risk score of that data, the user may not be systematically verified and instead placed in a `document` status where they need to upload an image of a government-issued ID for verification. Document verification can introduce added complexity to a client’s integration and add delays to getting users onboarded, which is why we turned to KBA as a solution to streamline the onboarding process.
Saving Time and Getting Users Online
A big value add for businesses to implement KBA is getting end users online quicker with minimal friction in the experience. Adding KBA as a component of the identity verification process reduces the number of users that may be placed in a `document` status. Historically, document review is a manual process that can take one to two business days to complete, with added time if documents are uploaded on a weekend. An extended review can lead to users abandoning the registration process altogether. At Dwolla we’re constantly looking at ways to automate manual processes that provide benefits to our clients and our internal teams.
The KBA flow
KBA is a status that is triggered by the failed retry verification attempt. At this point in the verification process, we’ve attempted to systematically verify the end user’s identity without success.There are many factors that could lead to an unsuccessful initial verification attempt. A few examples include a user fat fingering their identifying information or onboarding users with newly issued SSNs. Introducing KBA places the end user in a state where they can complete verification in seconds versus hours or days. The KBA flow introduces the concept of establishing a session that persists up to two minutes where the user will have to answer three or four out-of-wallet questions correctly in order to pass verification.
There are three steps you need to follow in order to complete the KBA flow:
Step 1 – Initiate the KBA session
The first step in the KBA flow is to make a request to the Dwolla API to generate a unique KBA ID which is used to represent the KBA session. The question-answer session of two minutes doesn’t begin until a client application calls the Dwolla API to retrieve KBA sessions with the unique KBA ID.
Step 2 – Retrieve KBA questions
Once the KBA ID is created, your application will have a single attempt to retrieve and answer the question set returned from the Dwolla API. Upon a successful request to retrieve the question set, your end user will have two minutes to complete the submission of their selected answers.
Step 3 – Answer KBA questions
Questions and answers will have their own unique identifiers that will be sent to Dwolla for scoring. If the user answers three out of four questions correctly then they will pass verification. Failure to pass the Q&A verification step will result in the user being placed in a `document` status.
Try it out
Dive into our developer documentation to learn more about how to take KBA for a test drive in our sandbox environment to simulate what the experience would be in production. By implementing KBA to the verification flow, businesses onboarding personal Verified Customer Records are able to offer additional value for their end users by getting them online quicker.
For more information on how to enable KBA accounts for your existing production application,