Knowledge-based authentication (Security Questions)

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Knowledge-based authentication (Security Questions)

    Knowledge-based authentication (KBA) is a method used to verify and identify callers through preconfigured security questions within conversational AI channels like AI voice agents. It enables ServiceNow customers to securely validate caller identities by matching answers against data stored in ServiceNow AI Platform or external systems without importing external data into ServiceNow.

    Show full answer Show less

    How KBA Works

    • Identification: Matches caller-provided answers (e.g., business phone number) to records in ServiceNow or external systems to establish caller identity once per session before sensitive interactions.
    • Authentication: Verifies caller identity by validating answers against stored or externally sourced data. KBA questions can be configured for identification, authentication, or both.
    • External Source Validation: For caller data not stored in ServiceNow, admins can configure custom scripts that validate answers in real-time against external systems such as CRMs or order management platforms. This validation returns match results for identification or true/false for authentication.
    • Context Persistence: Starting with version 5.0.3 of the AI voice agent, answers collected during identification and authentication persist in session context, allowing reuse of provided information throughout the caller session, reducing repetition.

    Key Strengths

    • No need for additional devices or internet connectivity for callers.
    • Familiar and straightforward for most users to understand and respond to security questions.

    Limitations

    • KBA depends on information known by the caller, which could be guessed, found publicly, or compromised by social engineering.
    • Not recommended as the sole verification method for sensitive or high-risk operations.
    • Best suited for low-risk use cases such as general IT support or access to public documentation.

    Practical Application for ServiceNow Customers

    ServiceNow customers can leverage KBA to enhance caller identification and authentication in AI-driven voice interactions, ensuring a balance between user convenience and security for low-risk scenarios. Admins have flexibility to configure questions and integrate external data validation via scripts to fit organizational data sources. Context persistence improves caller experience by minimizing repeated questioning. Customers should consider combining KBA with other verification methods for highly sensitive transactions.

    Knowledge-based authentication (KBA) is an identification and authentication method that verifies callers by prompting them to answer preconfigured questions across conversational AI channels, such as AI voice agents. KBA can be used to identify a caller, authenticate a caller, or both within the same interaction.

    KBA validates answers against records in ServiceNow AI Platform tables. For callers whose data resides outside ServiceNow, admins can configure scripts to validate answers against external systems in real-time. External data is never imported or stored in ServiceNow AI Platform.

    How KBA works

    Identification locates the caller by matching their answer to a record in ServiceNow AI Platform or an external system. For example, a caller provides their business phone number, and the system finds a matching record. Identification runs once per session and establishes who the caller is before any sensitive interaction begins.

    Authentication verifies that the caller is who they claim to be. The caller answers one or more questions, and the system validates those answers against stored or externally sourced data.

    KBA questions can be configured for identification, authentication, or both phases, depending on admin configuration.

    External source validation

    When caller data is not stored in ServiceNow AI Platform, admins can configure a custom script on an answer record to validate the caller's response against an external system, such as a CRM or order management platform. The script receives the caller's answer as input and returns a match result.

    • For identification, the script returns the matched record.
    • For authentication, the script returns a true or false result.
    Note:
    Only snc_external users can be authenticated using external source.

    Script execution is limited to 15 seconds by default. To learn more configuration properties, see System Properties.

    Context persistence

    Starting "nowassist-aia-voice", version: "5.0.3" release, answers collected during identification and authentication are persisted as session context and are available to subsequent authentication questions. This means a caller does not have to repeat information they already provided. For example, if a caller provides a booking reference during identification, that value is accessible to authentication scripts without prompting the caller again.

    Note:
    Context persistence is available only for scripted answers, it doesn't capture non-scripted answer responses.

    Key strengths

    • No additional device or internet connectivity is required.
    • Familiar to most users.

    Limitations

    • KBA relies on information the caller knows, which can be guessed, obtained from public records, or exposed through social engineering.
    • KBA is not recommended as the sole verification method for sensitive operations.
    • KBA is best suited for low-risk scenarios, such as general IT support or public documentation access.

    For detailed configuration instructions, see: