Guides
PortalContact Sales
Start typing to search…
  1. Authentication
  2. Challenge Methods

Knowledge-Based Authentication (KBA)

The KBA challenge method represents the knowledge factor in SCA. When enabled, cardholders must correctly answer security questions configured by the issuer.

Knowledge Factor

Proves the cardholder knows personal security answers.

Flexible Questions

Support for string entry, single select, multi select, and date questions.

Card Link Integration

Questions and answers provided via Card Link API.

How It Works

  1. Issuer provides questions and answers via Card Link
  2. Cardholder initiates a transaction
  3. Apata presents configured questions
  4. Cardholder answers the questions
  5. Apata verifies answers and proceeds or fails

Configuration

Basic Settings
FieldDescription
NameUser-friendly identifier
AliasUnique identifier (alphanumeric, dashes, underscores). Cannot be changed after creation.
DescriptionOptional details about the method
Question Settings
FieldDescription
Number of Questions to AnswerHow many questions must be answered correctly to pass
Number Incorrect PermissibleHow many wrong answers are allowed without failing
RetriesMax times cardholder can request a new set of questions
TTLTime limit to complete challenge (default: 300 seconds)
⚠️

The sum of Number of Questions to Answer + Number Incorrect Permissible must not exceed the total questions configured.

Example:

  • 3 questions presented
  • 2 must be answered correctly
  • 1 incorrect answer permitted
  • Cardholder can miss 1 question and still pass
Authentication Method
FieldDescription
Default Value(06) KBA - reported to payment schemes
MatchersOverride auth method value based on Protocol Version

Question Types

Questions are provided via Card Link in the kba property of the API response.

Single text answer question.

{
  "question": "What is your favourite colour?",
  "type": "STRING_ENTRY",
  "answer": "blue",
  "answerFormat": "PLAIN_TEXT"
}

Answer Formats

Plain Text

PLAIN_TEXT - Answer provided as unencrypted text.

Supported for all question types.

SHA-256 Hash

HASH_SHA_256 - Answer hashed with SHA-256 and encoded in HEX.

Example: "Hello World" → c6b2498c30e92d69a54f3e9dd8cc1ee0d3b21b9512041988f48eb3be75f461a9

Supported for: STRING_ENTRY, DATE_ENTRY

Uppercase SHA-256 Hash

ANSWER_TO_UPPERCASE_HASH_SHA_256_HEX - Answer converted to uppercase, then hashed with SHA-256 and HEX encoded.

Example: "Hello World" → "HELLO WORLD" → 787ec76dcafd20c1908eb0936a12f91edd105ab5cd7ecc2b1ae2032648345dff

Supported for: STRING_ENTRY, DATE_ENTRY

Common Use Cases

Second Factor Authentication

KBA is commonly used as a second factor:

  • SMS OTP (possession) + KBA (knowledge)
  • OOB (possession/inherence) + KBA (knowledge)
Fallback Method

KBA can serve as a fallback when other methods fail:

  • If Behavioural Biometrics fails → fall back to KBA
  • If OOB fails → fall back to KBA

Related Topics

  • Card Link – Provide KBA questions and answers
  • Challenge Profile – Combine KBA with other methods
  • Challenge Interface – Customise the question display
  • SCA – Strong Customer Authentication requirements

Updated 27 days ago