Notifications
Clear all
Topic starter
22/06/2026 5:02 pm
TL;DR: Knowledge-based authentication fails under modern threat models because answers are static, learnable, and replayable, while breaches, OSINT, and coached social engineering make them easy to obtain, according to Scramble ID. Replacing KBA means replacing human judgment with session-bound cryptographic proof, because the old trust model assumes a secret still exists when attackers have already learned it.
NHIMG editorial — based on content published by Scramble ID: Download PDF: KBA Is Dead (Contact Center Playbook)
Questions worth separating out
Q: What should replace KBA in high-risk contact-centre recovery flows?
A: High-risk recovery should use session-bound cryptographic proof, not spoken answers or subjective agent judgement.
Q: Why do security questions fail in account recovery?
A: Security questions fail because the answers are often public, inferred, or already stolen in breaches.
Q: What breaks when callers can fall back to old verification methods?
A: The migration fails because attackers target the bypass, not the primary control.
Practitioner guidance
- Remove security questions from high-risk recovery flows Delete KBA from password reset, payout change, SIM swap, and account recovery paths where a successful answer can trigger sensitive action.
- Bind verification to a trusted device and live session Use a short-lived challenge confirmed in a registered app so the result is tied to the active call and cannot be replayed later.
- Eliminate silent fallback paths Disable any agent script or IVR branch that sends callers back to old questions, caller ID trust, or email-link bypass when primary verification fails.
What's in the full article
Scramble ID's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step caller and agent scripts for replacing security questions in live recovery flows.
- Fallback and exception handling patterns for customers who cannot use the primary app-based verification path.
- Metrics to track during a KBA migration, including wrong-code rates, retry behaviour, and verification latency.
- Examples of safer recovery patterns for higher-risk cases, such as callback, in-person, and mailed verification.
👉 Read Scramble ID's analysis of why KBA fails in contact centres →
KBA in contact centres: what replaces security questions now?
Explore further
22/06/2026 5:16 pm
KBA is a stale governance control, not a durable identity signal. Knowledge-based authentication was designed for a world where personal facts were hard to collect and easy to trust. That assumption fails when breaches and OSINT make the answer set public or inferable. The implication is that contact-centre identity governance must stop treating remembered facts as proof and start treating them as exposed data.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who is accountable when a recovery workflow enables account takeover?
A: Accountability sits with the programme owner that allowed a low-assurance recovery path to remain in production. The relevant controls are governance, auditability, and exception management, not just technology. If a recovery flow can change credentials or factors, it should be treated as a privileged workflow with documented oversight.
👉 Read our full editorial: KBA replacement in contact centers now requires cryptographic proof
