Knowledge-based verification: is it state-of-the-art?
Venn Factory: The Workshop
SubscribeSign in
Knowledge-based verification: is it state-of-the-art?<br>Testimony to the Vermont House Committee on Commerce and Economic Development
Eve Maler<br>Mar 12, 2026
Share
This week I had an exciting new experience: testifying to a state legislative committee. The Vermont House of Representatives is working on a bill (H. 211 - an act relating to data brokers and personal information ) addressing a modern question: how to protect consumers’ personal data given the realities of the data monetization ecosystem? I met Vermont State Rep. Monique Priestley through a kind recommendation from Internet Safety Labs’ executive director Lisa LeVasseur, and Rep. Priestley asked me to help educate the House Committee on Commerce and Economic Development about identity verification. Following is a rough testimony transcript. The recording is here, and the resources I referenced are here.
Subscribe
Thank you Chair Marcotte, Vice Chair Graning, and members of the committee.<br>My name is Eve Maler.<br>I’m the founder and president of digital identity advisory firm Venn Factory and author of the forthcoming book Mastering Digital Identity: From Risk to Revenue .<br>I’ve been in the digital identity sector since the year 2000, when I worked with colleagues across the industry to start and run the committee that designed the SAML standard — Security Assertion Markup Language, the first open standard for single sign-on across business entities.<br>Most recently I was Chief Technology Officer of ForgeRock, an identity and access management platform provider serving banks, government agencies, healthcare providers and payers, and many others.<br>In 2016 I testified to the API Privacy and Security Task Force of the US Health and Human Services Office of the National Coordinator.<br>I want to thank Representative Priestley for sharing some questions with me ahead of time to ensure I addressed issues of concern.<br>Let me start with some background on Know Your Customer, or KYC.<br>KYC is a legal requirement under the Bank Secrecy Act.<br>It obliges financial institutions to confirm the real-world identity of their customers — in other words, to establish that a person is who they say they are — before opening accounts or conducting transactions.<br>Its purpose is to prevent financial crime: money laundering, fraud, and the financing of illegal activity.<br>This is a real and important obligation.<br>In technical terms, what KYC requires is called identity verification, or IDV.<br>What it does not require is any particular method of verification.<br>A bank can satisfy its KYC obligations using a driver’s license scan, a biometric match against a passport, or a government-issued digital credential.<br>It can also use a quiz drawn from a data broker’s database — but that approach, known as knowledge-based verification, or KBV, is the one that federal security standards have now explicitly prohibited.<br>KBV questions look like: what street did you live on in 2010, what’s your mother’s maiden name, what was your first car?<br>All of that information exists in data broker databases — that’s where the questions come from.<br>I’ll come back to why that’s a problem.<br>The reason this distinction matters is that we’ve been hearing that financial institutions need broad access to data broker data for KYC.<br>That framing is accurate in the sense that KYC requires verification — but it conflates the legal obligation with one specific, outdated implementation choice.<br>KYC doesn’t require data broker data.<br>Some institutions have chosen to use data broker data for a particular approach to KYC.<br>That’s an approach that federal guidelines have moved away from.<br>And that move away is not the same thing as KYC being impossible without data brokers.<br>OK. Why does the National Institute of Standards and Technology no longer consider KBV to be strong evidence for identity verification?<br>If an institution is using KBV, it means they’re using an approach the federal government’s top technical standards body has formally abandoned.<br>In fact, NIST’s current guidelines, updated in 2025, now explicitly prohibit KBV for identity verification.<br>An institution still relying on it is behind the curve on security, not leading it.<br>If a financial institution is buying data broker data to perform KBV, what does that mean for the integrity of the verification process?<br>It means the supposed secret underlying the method isn’t secret anymore.<br>KBV works only if the answers are known to the applicant and no one else.<br>Data broker databases have been breached repeatedly — most dramatically in 2024, when a single breach allegedly exposed up to 2.9 billion records on an estimated 170 million people in the US, UK, and Canada.<br>If a fraudster can buy the same answers the verification system expects, the quiz doesn’t distinguish between the real person and an impostor.<br>Let’s look at the implications of KBV specifically on security. What does...