knowledge based verification

Knowledge-Based Verification (KBV) is a strategy used to verify identities based on knowledge of private information associated with the claimed identity. This is often referred to as knowledge-based authentication (KBA) or knowledge-based proofing (KBP). KBV is regularly practiced when users answer security questions set up on accounts to verify their identity. KBV is used as a fraud prevention strategy to prevent account takeover by cybercriminals. It’s used as an additional safeguard to authenticate users in addition to strong passwords and two-factor authentication. Common examples of knowledge-based verification questions would be:

  • Which of the following retail credit cards do you have?
  • What was your first pet’s name?
  • What state did you reside in during 2020?
  • What is your mother’s maiden name?
  • What middle school did you attend?

Depending on the type of account you’re trying to get into, you’ll have different questions. Oftentimes for banking, credit card, or other accounts that involve financial information, it will ask very specific questions (Residency, Credit Information, etc) that you haven’t set up yourself. Other standard accounts (social media, email, etc) will typically ask simple questions about family and/or personal history that you have personally entered yourself when creating the account.

What does this mean for an SMB?

CyberHoot always recommends that if you’re completing KVM-type questions, that you store the answers in a Password Manager. Secondly, and this is important, make up the answers so that no one could research your KVM question and find the name of your first pet on Social Media. Store the fake message in your password manager. We quite enjoy making up fictitious answers to questions like “What is your Mother’s tastiest meal?” Answer: Jellyfish Sandwiches!

Using KBV techniques is helpful for protecting critical accounts. However, it is vital that you have Two-Factor Authentication capabilities in place as well.

You or your company needs to take proactive measures today to reduce your chances of being a victim of a cyberattack. CyberHoot recommends the following best practices to prepare for, limit damages, and sometimes avoid attacks:

  • Adopt two-factor authentication on all critical Internet-accessible services
  • Adopt a password manager for better personal/work password hygiene
  • Require 14+ character Passwords in your Governance Policies
  • Follow a 3-2-1 backup method for all critical and sensitive data
  • Train employees to spot and avoid email-based phishing attacks
  • Check that employees can spot and avoid phishing emails by testing them
  • Document and test Business Continuity Disaster Recovery (BCDR) plans
  • Perform a risk assessment every two to three years


NIST Glossary