Knowledge-based verification (KBV) is a technique commonly used in remote identity proofing. Individuals are asked a series of multiple choice questions based upon their life history to prove that they are who they claim to be. KBV is a step often required before granting access to an application with sensitive data or an account that controls financial transactions. KBV is most often used for online identity proofing before proving access to a website or application. However, it can be used in call centers as well to prove someone’s identity before making changes to an account or releasing sensitive data.
Examples of When Knowledge Based Verification is Used
Examples of real-world situations that might involve the use of KBV include
- Opening a bank account
- Requesting a college transcript
- Applying for government benefits
- Replacing a stolen cellphone
- Completing a life insurance application
How Knowledge Based Verification Works
With KBV users are asked to answer a series of questions, the answers to which should only be known by them. The questions are generated from data compiled from credit history and public records. Examples of the knowledge tested in the questions might include past addresses, vehicle ownership, schools attended, mortgage details, and credit card accounts. A number of commercial service providers offer KBV questions and answers as a service offering. The most notable include the three National Credit Reporting Agencies – Experian, TransUnion, and Equifax.
KBV is sometimes referred to as “out of wallet” questions, because the user must possess knowledge that could not be obtained from a stolen wallet. The types of questions asked in a KBV quiz cannot be ascertained by a fraudster even if they gained possession of an individual’s driver’s license, social security card, and credit cards from their wallet.
Criticisms of Knowledge Based Verification
KBV became extremely popular on the Internet as an identity proofing technique between 2005 and 2015. Businesses and government organizations viewed KBV as having a sufficient level of fraud protection that did not add excess friction to the customer experience. However, KBV has been the target of a significant amount of criticism over the past 10 years due to its susceptibility to fraud. Numerous data breaches at the National Credit Reporting Agencies and other data sources used to generate the questions have been announced, leading security experts to believe that the answers have been compromised.
A number of government agencies, industry analysts, and standards organizations have recommended that organizations discontinue the use of KBV for applications with sensitive data. Most notably, in the most recent Digital Identity Guidelines published by the National Institute of Standards, a division of the US Department of Commerce, has effectively prohibited KBV for identity proofing of sensitive applications.
More Information about Knowledge Based Verification
Knowledge Based Authentication Breached Big Time (Gartner)
Michigan Department of Health and Human Services Knowledge Based Verification Study
Why the Industry is Moving Away from Knowledge Based Authentication
