Knowledge-based authentication — security questions — assumes that only the real account holder knows the answers. That assumption broke a long time ago.
The answers aren’t secret anymore
The information behind most security questions is now trivially available:
- Years of breaches have exposed billions of records, including the exact details institutions ask about.
- Social media volunteers the rest — pets, schools, hometowns, family names.
- Fraudsters buy and trade pre-packaged identity profiles, answers included.
They’re slow and they frustrate good members
Security questions punish the legitimate caller most. People forget how they spelled an answer years ago, get locked out, and end up frustrated with your call center — while a prepared fraudster breezes through.
A better model: something they are
Modern authentication leans on signals that can’t be googled: the member’s voiceprint, the device they’re calling from, and behavioral patterns — combined with a One-Time Passcode when you want a second factor.
Confirm lets you set the minimum verification required, with or without OTP, and layer in voice biometrics so identity is confirmed by who the caller is, not what they can recite.
Still relying on knowledge-based questions? We’ll help you map a stronger flow that satisfies FFIEC guidance without slowing your agents down.
See Confirm running in your core.
Tell us about your institution and we’ll get back to you within 24 hours.