How Knowledge Based Verification (KBV) Works
Knowledge-based verification (KBV) is a technique commonly used in remote identity proofing. Individuals are asked to prove that they are who they claim to be by answering a series of questions about their life history. KBV is a step often required before granting access to an application with sensitive data or an account that controls financial transactions.
- Government Websites – To claim benefits such as health care, unemployment, nutrition assistance, and other social welfare programs.
- Financial Institution Websites – To enroll in or apply for loans, credit cards, bank accounts, investment plans, and insurance policies.
- Healthcare Websites – To schedule appointments, view lab results, request prescription refills, join telemedicine sessions, and access medical records.
- Telecom Accounts – To replace a lost phone, access online accounts, or port a phone number to a different provider.
Personally Identifiable Information (PII) to Collect
Identity proofing is often performed at the beginning of an enrollment workflow when a user’s personal details are captured. First, users are asked to provide a few pieces of personally identifiable information such as name, address, phone number, and date of birth. In some cases, the social security number may be requested as well. The personal data is used to find a unique match to the individual in authoritative records. There may be a few thousand people with common names such as “John Smith,” “Brian Johnson,” or “Maria Garcia” living in a large city. However, there should be only one with the unique combination of the personal attributes provided (e.g. name, address, date of birth, etc.).
Sources for KBV Questions
There are a number of commercial data providers that offer KBV questions and answers on demand as-a-service for prices of less than $1 per transaction. The three National Credit Reporting Agencies (CRAs) – Experian, TransUnion, and Equifax – are among the largest providers of KBV. The CRAs maintain data files on several hundred million individuals that include information collected from banks and financial institutions, telecom and utility providers, and other government records. Other large data service providers such as LexisNexis, NeuStar, and Acxiom offer KBV applications as well.
External vs Internal Data for KBV
Although most businesses use KBV questions and answers generated from external data sources such as public records and credit histories, there has been a movement to evaluate other options. With the volume of data breaches that have occurred in recent years, many companies no longer consider the data kept in credit files or public records to be confidential.
In recent years, some technology providers have introduced applications which can generate questions and answers that are from internal data sources. For example, an existing customer of a bank who has a credit card wants to apply for a car loan. The bank could use the knowledge it has acquired about the customer through the history of its relationship as the source of questions and answers to confirm the loan applicant’s identity. In theory, the internally sourced data has a lower risk of compromise than the external data.
Multiple Choice Questions and the KBV User Experience
Whether the questions are sourced from external or internal records, the process is the same. The business or government agency seeking to verify an individual’s identity passes the personally identifiable information collected to a data or technology provider using an API. A match of the individual is performed in the data provider’s records. If a match is found then a series of multiple choice questions and answers are returned, specific to that individual.
The end-user is presented with the questions one-by-one on the business or government’s website. Common knowledge tested in the questions include information about past addresses, vehicle ownership, schools attended, mortgage details, and credit card accounts. Users that can successfully answer the questions are assumed to be who they claim to be. Users that are not successful are denied immediate access and routed to alternate channels for identity proofing. Call centers are the most common alternative option. In some cases, users may have to send identity documentation in the mail or present it in person at an office location.