Excellent advice all around - here's a trick I use for KBA
Thanks for this great article. I'm glad NIST is leading the way on this.
My biggest complaint about well-meaning security policies is exactly what you're saying here: they're so damn complex and annoying that they actually encourage bad password practices. Stop the madness!
One trick I use (besides a password manager) is regarding KBA. As you say, most of the answers to security questions can be found on social media or simple web searches. My solution? Fake it. I created a fictional "life" and use that information. You only needed a few pieces of information (stored securely in an encrypted password manager lest you forget): male & female name (for any person variant), car model, two wild cards (one for city/school/street and one for school mascot/pet/etc.), and perhaps one random word for more obscure questions. Make them memorable but wholly unrelated to your life and I think it's a pretty secure alternative if you need to create these security questions. If you use a password manager you could even go a step further and use unique fake answers for each account. You might get a free tin foil hat for doing that. :)
Hopefully MFA will become ubiquitous very soon and make even this little trick obsolete.