Overview
Knowledge-based authentication (KBA) is a premium second-factor authentication method that secures a high-level verification of identity. KBA is only valid for vetting the identity of US-based recipients.
The authentication process challenges the recipient to enter their first and last name in addition to their home address. The recipient may optionally enter the last four digits of their US social security number.
The information entered is used to query multiple public databases, generating a list of three to four nontrivial questions for the recipient.
Example questions:
- Select the correct house number of the address you shared with {some name}
- Which of the following aircraft have you owned
- In which of the following cities have you attended college
- From whom did you purchase the property {some address}
- Which age range matches the age of {some name}
Once the authentication is passed, the recipient is granted access to view and interact with the agreement.
If the recipient closes out the agreement for any reason before completing their action, they will have to re-authenticate.
To secure against brute force attempts to authenticate, the KBA method can be configured to cancel the agreement after a defined number of failed attempts.
Knowledge Based Authentication is available to the business and enterprise service plans only.
KBA is a premium authentication method that has a per use charge.
- KBA is only applicable to US based recipients
- 50 free KBA transactions are included for new accounts
- Contact your reseller or sales agent to purchase additional transactions
A note about the recipient's personal data
Knowledge Based Authentication is a service provided through a partnership powered by InstantID Q&A from LexisNexis.
The challenge page is an iframe to the LexisNexis service. All recipient data entered and returned during the authentication process exists solely within the LexisNexis frame, and never transits the Adobe Acrobat Sign service.
Once LexisNexis verifies the recipient, an authentication token is passed to Acrobat Sign approving access. The tokenID is stored in the Audit Report as part of the successful authentication record.
Configuring the Knowledge Based Authentication method when composing a new agreement
When KBA is enabled, the sender can select it from the Authentication drop-down just to the right of the recipient's email address:
An optional configuration of the KBA method may require that the sender insert the recipient's Name.
This option ensures that the name of the recipient remains consistent throughout the lifespan of the transaction.
If KBA is not an option for the sender, then the authentication method is not enabled for the group from which the user is sending.
Consumption of premium authentication transactions
As a premium authentication method, KBA transactions must be purchased and available to the account before agreements can be sent with KBA configured.
KBA transactions are consumed on a per-recipient basis.
e.g., An agreement configured with three recipients authenticating by KBA consumes three authentication transactions.
Configuring an agreement with multiple recipients decrements one transaction for each recipient authenticating by KBA from the total volume available to the account.
- Canceling a Draft agreement with KBA configured returns all KBA authentication transactions back to the total volume available for the account
- Canceling an In-progress transaction does not return the authentication transaction to the total volume available for the account
- Changing an authentication method to KBA (from any other method) consumes one transaction
- If you change the same recipient back and forth between KBA and other methods, you only consume one transaction total
- If you change the same recipient back and forth between KBA and other methods, you only consume one transaction total
- Changing the authentication method from KBA to another method does not return the transaction
- Each recipient authenticating with KBA consumes only one transaction, no matter how many times they attempt the process
Track available volume
To monitor the volume of KBA transactions available to the account:
- Navigate to Account Settings > Send Settings > Identity Authentication Methods
- Click the Track Usage link:
Accounts that have purchased the service under the VIP licensing program have a modified format Track Usage pop-out to represent better the number of transactions within the context of their licensing scheme.
KBA transactions are an account-level resource.
All groups that enable KBA consume their volume from the same communal pool of transactions.
Audit Report
A successful KBA identity verification is explicitly logged in the audit report with the authentication token provided by LexisNexis.
If the agreement is canceled due to the recipient being unable to authenticate, the reason is explicitly stated:
Best Practices and Considerations
- If second-factor signature authentication isn't required for your internal signatures, consider the Acrobat Sign Authentication method instead of KBA to reduce the friction of signing and save on the consumption of the premium authentication transactions
Configuration Options
Knowledge-based authentication has two sets of controls, which are available to be configured at the account and group levels:
- Send Settings, which control the sender's access to, and configuration of, the KBA option
- Security Settings, which govern the recipient's experience
Enable the authentication method under Send Settings
The option to use knowledge-based authentication can be enabled for senders by navigating to Send Settings > Identity Authentication Methods
- Knowledge-based authentication checkbox - When checked, KBA is an available option for the agreements composed in the group
- (Optional) Require signer name on the Send page - When checked, senders are required to provide the Name of the recipient. This name value persists throughout the signature cycle; the recipient is not allowed to change it
- Enabling this option prevents delegation of the agreement by the recipient (including auto-delegation)
- Replace Signer will work for the sender from the modern Manage page
- (Optional) Use KBA when viewing the agreement after it has been signed - When enabled, any attempt to access the online agreement stored in Acrobat Sign via link will prompt the requester to re-authenticate using the KBA process (See below)
- Note: This authentication only challenges access to the original agreement via link, and is different than the password protection to view an agreement's PDF
- Note: This authentication only challenges access to the original agreement via link, and is different than the password protection to view an agreement's PDF
- (Optional) Once KBA is enabled, you can define it as the default method to be offered when composing a new agreement
- Save the change to the page
Require authentication to view the original online agreement via web link
Email templates, like the post-signature verification to the recipient, can contain a link to the original agreement on the Acrobat Sign servers:
By enabling the Use KBA when viewing the agreement after it has been signed setting, any attempt to access the agreement via link will be challenged to re-authenticate the recipient's identity via KBA.
- This setting is embedded into the agreement when it is created. Changing the setting does not change the experience for agreements that are already in process
- If the identity verification method is changed for the recipient, the authentication to view the agreement via link is disabled
- Every time a recipient authenticates to view the agreement, premium authentication transactions are consumed
The challenge process is exactly the same as the original recipient authentication process:
The agreement will not open for viewing until the KBA is properly resolved.
There is no option to edit or disable the authentication after the recipient has signed and completed their action.
Configure the Security Settings
Knowledge Based Authentication has three configurable options that can be found on the Security Settings page:
- Restrict number of attempts - Enabled by default, this check box enables the security option to cancel the agreement if a recipient fails to authenticate within the defined number of. If disabled, recipients can try to authenticate an unlimited number of times
- Allow Signer XX attempts to validate their identity before cancelling the agreement - The admin can enter any number to limit the number of attempts to authenticate. Once the number of attempts is crossed, the agreement is automatically canceled
- Knowledge Based Authentication difficulty level - Defines the complexity of the validation process:
- Default - Signers will be presented with 3 questions and will be required to answer them all correctly. If they only answer 2 correctly, they will be presented with 2 more questions and will be required to answer them both correctly
- Hard - Signers will be presented with 4 questions and will be required to answer them all correctly. If they only answer 3 correctly, they will be presented with 2 more questions and will be required to answer them both correctly
If you do not see the settings available in your menu, verify that the authentication method is enabled on the Send Settings page
Automatic agreement cancelation when a recipient fails to authenticate
If the settings restrict the number of KBA authentication attempts, and the recipient fails to authenticate that number of times, the agreement is automatically canceled.
The agreement's originator is sent an email announcing the cancelation with a note identifying the recipient that failed to authenticate.
No other parties are notified.
