Knowledge-Based Verification is no longer fit for purpose — here are three reasons why
Sep 12
Knowingly Broken Verification is as old as history. It’s time to put it in the bin.
We need to prove who we are to do all sorts of things: signing in to financial accounts, using government services, changing a phone contract.
The most common way we do this is with knowledge-based verification (KBV), also known as knowledge-based authentication.
KBV is based on the idea that someone can prove their identity by sharing some information they know.
It’s been widely used since antiquity. If you were hanging around the banks of the Jordan circa 1300 BC, knowing the “right” way to say shibboleth was a matter of life or death.
Centuries later, the Roman army used watchwords during night patrols to tell friend from enemy. (We’ll be coming back to this.)
KBV might be as old as time, but it’s omnipresent today. It’s the principle behind username and password verification, which shows no sign of going away.
The problem is that KBV is a terrible way to verify people’s identity. There are three main reasons why:
It’s awful to use
It isn’t secure
It excludes too many people
Let’s take those one at a time.
KBV is awful to use
A Roman watchword was a great way to avoid the business end of a javelin — until you forget what it is. A single word is quite easy to remember. But how about details from the misty past?
Today, government, health, financial and other services ask for all sorts of things to prove who you are.
Things like:
Where you’ve lived in the past
Who you applied for a credit card with
How much is left on your mortgage
When your mobile phone contract expires
Here’s an example:
This is a question I was recently posed when trying to access TransUnion. I’m not singling them out. These sorts of questions are everywhere. It just happens to be the one I’ve seen most recently.
Some people might remember this sort of information. Many don’t — and I’m one of them. If I took out a store card in June 2019, the chances are I’d lost by the end of April 2020. It was then that, at peak lockdown boredom, I cleared out my entire flat starting with my purse.
For me, this was a dreadful user experience. It’s anxiety-inducing to be asked a question you don’t know the answer to. Should I guess? What happens if I fail?
According to the principles of KBV, if I forget the answer to this question, apparently I am no longer me, and I can’t use the service. That’s not just a bad user experience — it’s a broken one.
If your service uses KBV questions like these, accessing your services can be much harder than it needs to be.
KBV isn’t secure
From the perspective of a Roman legionary, even worse than forgetting a watchword is letting the enemy find it out — and using it.
We’ve all enjoyed listicles about the worst passwords to use. But your customers’ private data can be compromised through no fault of their own. It can be exposed when a service, and the digital infrastructure it’s built on, is attacked and accessed illegally.
This happens so frequently that “data breach” has entered the lexicon. Breaches often expose customer or user data, which can then be shared on the dark web, or sold to anyone willing to pay.
Over the last decade or so, there have been a number of high-profile data breaches.
One of the largest was Equifax’s 2017 data breach, which exposed the data of 14 million UK customers. Names, dates of birth, phone numbers, addresses and credit card information were accessed.
In the same year, a Dixons Carphone breach saw 14 million personal records exposed.
And in May 2020, an EasyJet was breached, affecting the data of 9 million customers.
But the headline-grabbing cases are the tip of the iceberg. According to IT Governance, the year 2023 saw more than 8 billion records exposed in 2,814 incidents. And breaches are only becoming more common.
Crucially, the information exposed in a data breach is often the same information people use to prove their identity to an important service at a KBV check. In the wrong hands, it can be used to illegally access important services by posing as someone else — often with a view to committing fraud.
Data breaches aren’t only a problem for the services breached, or their customers. They’re a problem for any service which holds the same information.
It’s easy for a well-informed customer to use a different password for every service. It’s harder to use a different date of birth — especially when the law requires them to tell the truth.
If your service uses KBV, you’re potentially opening the door to criminals who can pose as a legitimate customer through information exposed in a breach. That’s true, even if the breach was with a completely different organisation.
KBV excludes too many people
Fortunately for them, the Romans didn’t have to worry about credit history. But today, it poses big problems for KBV and inclusivity.
Although a credit file isn’t itself KBV, many of the questions users are asked work on the assumption that the customer has a significant credit history.
But in the UK, 20.2 million people are financially underserved, meaning they may have little to no information on their credit report.
This disproportionately affects people from any number of groups, including:
Young adults
People who haven’t been able to buy a home
Recent immigrants
People in low-income work who might not have access to affordable credit
People who have had periods of time without a fixed address
Older women who would not have been able to open a bank account without their husband or father giving permission
People from these groups, and others in similar situations, are potentially locked out of any services that use KBV to identify their customers and users.
And KBV is getting left further behind by modern trends. Fewer people are choosing to use traditional financial services, or take out a mortgage — actions that would build a credit file over time.
As more vital services become digital by default, identity verification needs to be as inclusive as possible. If your service clings on to KBV, it will increasingly leave people behind.
There is a better, fairer way
None of these weaknesses are secrets. That’s why we jokingly call KBV knowingly broken verification. It’s as old as the hills and no longer fit for purpose.
To make verification more inclusive, it should be based on something everyone has, not something that many people don’t.
This is the reason Vouchsafe uses biometric verification. Anyone with access to a computer with a webcam, or a mobile device, can use Vouchsafe to verify who they are with a video selfie.
With biometric vouching, it doesn’t matter if the user doesn’t have a passport or driving licence. Or a bank account or credit card. Or a mobile phone or mortgage. They can ask for help from a referee who can prove their own identity, and vouch for the user’s.
It’s time to recognise KBV for what it is: outmoded technology. It was the best the Romans could do. We can do better. And we must, if we’re going to make essential services secure, easy to use, and accessible to everyone.