Audit an existing identity proofing integration and replace KBA with compliant NIST 800-63A-4 alternatives

Verified steps

1. Inventory all identity proofing touchpoints in the application: locate any step that uses static or dynamic KBA questions (mother's maiden name, street address history, previous vehicle) as a verification or authentication factor.
2. Classify each KBA use: authentication-step KBA is entirely prohibited under NIST 800-63B-4; proofing-step KBA is only permitted as a single Fair-level evidence supplement for identity resolution, not as the primary verification binding.
3. Replace authentication-step KBA with a FIDO2 passkey, OTP (TOTP or SMS), or push authenticator to achieve AAL2; document the authenticator type and assurance level in the system security plan.
4. For remote IAL2 proofing, replace KBA-based identity binding with biometric comparison: capture a selfie, run a face match against the document portrait, and run liveness/PAD detection; this combination satisfies the binding requirement in 800-63A-4.
5. Update the Digital Identity Acceptance Statement or equivalent documentation to reflect the new xAL configuration and the evidence strength for each proofing pathway.
6. Conduct a regression test with edge-case users (hyphenated names, non-Latin characters, thin-file individuals) to confirm the replacement proofing path does not introduce unacceptable failure rates.