Gartner Blog Network

The Death of KBA; Secret life questions fluster Obamacare applicants

by Avivah Litan  |  October 23, 2013  |  2 Comments

Just as we predicted (actually it didn’t take a rocket scientist to predict this), KBA (knowledge based authentication or secret questions based on life history to validate an identity) has been a flop on the Obamacare exchange websites, adding insult to injury. The topic even made it’s way to the human interest story on the front page of today’s Wall Street Journal, which documented how Americans needing health care insurance couldn’t satisfactorily answer the secret life history questions needed to pass the electronic application process. After all, who can remember the color of your first bicycle when you can’t even remember what you did two weeks ago, recounts an interviewee in the article.

KBA is on life support. It was already ineffective and now everyone knows its been compromised systematically by some of the most organized criminal gangs around. (See and and )

Experian, LexusNexis, Kroll and Dunn and Bradstreet and other breached data brokers must be furiously trying to dig themselves out this hole. Frankly, I feel for them because securing the food chain of clients that have access to this sensitive data is a very tall task. And securing the systems against advanced threats is an equally tall task.

But at a minimum, they may want to stop selling identity theft protection services to consumers. It seems to be a conflict of interest, don’t you think?

As for the government and the healthcare exchanges, all they had to do was ask around and they could have easily avoided this latest disaster.


Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio

Thoughts on The Death of KBA; Secret life questions fluster Obamacare applicants

  1. Anil John says:

    Fully agree that the use of KBA for identity proofing and the compromises at the data brokers are a bad thing, and that it affects many online interactions that require higher assurances of identity.

    At least in the U.S., an alternative in the long term may very well be using Government Agencies (whether at the Federal or State/Tribal level) who are tasked with identity establishment (i.e. already manage vital records) as authoritative sources. But there are significant policy, politics and process barriers around that, so that is not a near term option.

    In order to not classify this under the TBU (True But Useless) category, I am interested in understanding what you would propose as an alternative to KBA for remote identity proofing particularly at LOA 2 and LOA 3.

  2. Avivah Litan says:

    Hi, I have a research note on that that defines Four Layers of Identity proofing. Are you a Gartner client? I can send you the note. There are many different measures that can be employed to gain assurance.

    Also in terms of KBA, not all KBA information has been compromised. For example, questions based on internal customer/account information (if it exists) are more effective and successful and presumably still confidential.

    Thanks for the feedback

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.