Enable a method of authentication for recipients in the United States using the recipient's public information sourced from multiple public databases.
Overview
Knowledge-based authentication (KBA) is a premium second-factor authentication method that secures high-level identity verification. KBA is only valid for vetting the identity of US-based recipients.
The authentication process challenges the recipient to enter their first and last name and home address. The recipient may optionally enter the last four digits of their US social security number.
After successfully answering several questions, the recipient can interact with the agreement.
Availability:
Knowledge-based authentication is available for enterprise license plans only.
KBA is a premium authentication method that has a per-use charge:
- Transactions must be purchased through your Adobe sales representative.
- Transactions are an account-level resource. All groups consume from the same global pool.
Configuration scope:
The feature can be enabled at the account and group levels.
KBA is only applicable to US-based recipients.
How it's used
When the recipient accesses the Review and sign link, they are delivered to the KBA identity verification page, where they are prompted to enter their name and address:
The information entered is used to query multiple public databases, generating a list of three to four nontrivial questions for the recipient.
Example questions:
- Select the correct house number of the address you shared with {some name}
- Which of the following aircraft have you owned
- In which of the following cities have you attended college
- From whom did you purchase the property {some address}
- Which age range matches the age of {some name}
Once the authentication is passed, the recipient can interact with the agreement.
If the recipient closes the agreement for any reason before completing their action, they must re-authenticate.
To secure against brute force attempts to authenticate, the KBA method can be configured to cancel the agreement after a defined number of failed attempts.
Configuring the Knowledge-Based Authentication method when composing a new agreement
When KBA is enabled, the sender can select it from the Authentication drop-down just to the right of the recipient's email address:
An optional configuration of the KBA method may require that the sender insert the recipient's Name.
This option ensures that the name of the recipient remains consistent throughout the lifespan of the transaction.
If KBA is not an option for the sender, then the authentication method isn't enabled for the group from which the user is sending.
Consumption of premium authentication transactions
As a premium authentication method, KBA transactions must be purchased and available to the account before agreements can be sent with KBA configured.
KBA transactions are consumed on a per-recipient basis.
e.g., An agreement configured with three recipients authenticating by KBA consumes three authentication transactions.
Configuring an agreement with multiple recipients decrements one transaction for each recipient authenticating by KBA from the total volume available to the account.
- Canceling a Draft agreement with KBA configured returns all KBA authentication transactions back to the total volume available for the account.
- Canceling an In-progress transaction does not return the authentication transaction to the total volume available for the account.
- Changing an authentication method to KBA (from any other way) consumes one transaction.
- If you change the same recipient back and forth between KBA and other methods, you only consume one transaction total.
- If you change the same recipient back and forth between KBA and other methods, you only consume one transaction total.
- Changing the authentication method from KBA to another method does not return the transaction.
- Each recipient authenticating with KBA consumes only one transaction, no matter how many times they attempt the process.
Track available volume
To monitor the volume of KBA transactions available to the account:
- Navigate to Send Settings > Signer Identification Options
- Select the Track Usage link:
Accounts that have purchased the service under the VIP licensing program have a modified format Track Usage pop-out to represent better the number of transactions within the context of their licensing scheme.
Audit Report
A successful KBA identity verification is explicitly logged in the audit report with the authentication token provided by LexisNexis.
If the agreement is canceled due to the recipient being unable to authenticate, the reason is explicitly stated:
Best Practices and Considerations
- If second-factor signature authentication isn't required for your internal signatures, consider the Acrobat Sign Authentication method instead of KBA to reduce the friction of signing and save on the consumption of the premium authentication transactions.
Configuration Options
Knowledge-based authentication has two sets of controls, which are available to be configured at the account and group levels:
- Send Settings control the sender's access to and configuration of the KBA option.
- Security Settings govern the recipient's experience insofar as how many attempts they can make before the agreement is canceled.
Enable the authentication method under Send Settings
The option to use knowledge-based authentication can be enabled for senders by navigating to Send Settings > Signer Identification Options
- Knowledge-based authentication checkbox - When checked, KBA is an available option for the agreements composed in the group.
- (Optional) Require signer name on the Send page - When checked, senders must provide the recipient's Name. This name value persists throughout the signature cycle; the recipient cannot change it.
- Enabling this option prevents delegation of the agreement by the recipient (including auto-delegation).
- Replace Signer will work for the sender from the modern Manage page.
- (Optional) Once KBA is enabled, you can define it as the default method when composing a new agreement.
- Save the change to the page.
Configure the Security Settings
Knowledge-Based Authentication has three configurable options that can be found on the Security Settings page:
- Restrict number of attempts - Enabled by default, this checkbox enables the security option to cancel the agreement if a recipient fails to authenticate within the defined number of. If disabled, recipients can try to authenticate an unlimited number of times.
- Allow Signer XX attempts to validate their identity before cancelling the agreement - The admin can enter any number to limit the number of attempts to authenticate. Once the number of attempts is crossed, the agreement is automatically canceled.
- Knowledge-Based Authentication difficulty level - Defines the complexity of the validation process:
- Default - Signers will be presented with three questions and must answer them correctly. If they only answer two correctly, they will be given two more questions and required to answer them correctly.
- Hard - Signers will be presented with four questions and must answer them correctly. If they only answer three correctly, they will be given two more questions and required to answer them correctly.
If you don't see the settings in your menu, verify that the authentication method is enabled on the Send Settings page.
Automatic agreement cancellation when a recipient fails to authenticate
If the settings restrict the number of KBA authentication attempts, and the recipient fails to authenticate that number of times, the agreement is automatically canceled.
The agreement's originator is sent an email announcing the cancellation with a note identifying the recipient who failed to authenticate.
No other parties are notified.