Knowledge Based Authentication (KBA) is an available option for signer authentication. The KBA process involves presenting the signer with a series of questions that have been generated from public data sources in order to ensure they are the authentic party designated to sign a document.
Because the KBA process involves the handling of sensitive customer data during the signing session and this process incurs a cost, the KBA feature set must be enabled and configured by the AssureSign staff. When Knowledge Based Authentication has been enabled by the AssureSign support staff, you will see the setting "Knowledge Based Authentication" under the "Signer Authentication" section, and your KBA provider will be shown.
Your AssureSign representative will configure settings that require consideration of your use case. In addition, certain restrictions may be required based on your contract specifications.
Some important options you must consider are:
- KBA questions presented to signers are generated based on information about the signer you submit to us prior to signing presentation. The best practice is that this information is submitted through the pre-defined Template parameters designed for this purpose. However, you have the option of allowing the signer to enter that initial information, in whole or in part. You may indicate one of the following:
- Allow signers to be presented with providing any information required to generate KBA questions
- Do not allow signers to be presented with providing any information required to generate KBA questions
If you intend to always pass all required information about the signer during the Submit operation, then you should request that your account be configured to not allow signers to be presented with that information. However, if your use case allows for signers to be presented with these questions then you may want to request that your account be configured to allow this option.
Presentation of KBA questions results in a billable charge. Once a signer completes the authentication process, they will be provided with a PIN that will allow them to return to their signing session when "Enable Reauthentication Password" has been turned on in the "Signer Authentication" section. Should the signer lose their PIN, allowing them to enter without evidence of the KBA completion would be insecure. However, requiring them to perform KBA questions will result in additional costs. To control costs, you may select to not allow re-authentication for returning signers that have lost their signing PIN.
You may allow signers to skip up to 1 question. If this is enabled, the signer will still be required to complete the same number of questions as if a skip had not occurred.
Once KBA has been enabled on your account, then you may select to require its use on a per signatory basis when workflow is defined on a template. Refer to the article on standard template parameters for KBA question generation for detailed information. You may select to change the names of the parameters; this might be useful in the case that you have already defined custom parameters for population of data in the document and would like to pass this data only once. However, note that some of the KBA related parameters are also used for general use elsewhere, for example the first and last name parameters are also shared with the default first and last name signer parameters.
Note that you may also require a password for access to documents that are protected as well by KBA. In this case, the signer will be asked for their password, followed by KBA authentication. If they leave and return after completing the KBA questions, they will be prompted for the KBA PIN provided to them after successful KBA.
When a signer is presented with KBA questions and fails the process, then the document will be cancelled.
When document signing is complete on a document requiring KBA for signing access, it is possible starting with AssureSign version 4.12 to apply a fixed text JotBlock after signing completion that contains information about completed KBA events. This may be desirable in the case that a third party requires some visual indication of the authentication performed applied to the document.