Knowledge-based authentication (Security Questions)

  • Release version: Zurich
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Knowledge-based authentication (Security Questions)

    Knowledge-based authentication (KBA) in ServiceNow is a method that verifies callers by asking them preconfigured security questions through conversational AI channels like AI voice agents. It supports both identifying and authenticating callers within the same interaction by validating their answers against records stored in the ServiceNow AI Platform or external systems via real-time scripted validation. This ensures secure caller verification without importing or storing external data in ServiceNow.

    Show full answer Show less

    How KBA Works

    • Identification: Matches caller-provided information (e.g., business phone number) to a record in ServiceNow or an external system to establish who the caller is. This process runs once per session before sensitive interactions.
    • Authentication: Confirms the caller’s identity by validating answers to security questions against stored or external data.
    • KBA questions can be configured for either or both identification and authentication phases depending on administrative settings.

    External Source Validation

    If caller data is not stored within ServiceNow, admins can configure custom scripts to validate answers against external systems such as CRMs or order management platforms. These scripts receive caller responses and return either a matched record (for identification) or a true/false result (for authentication). Only users with the sncexternal role can be authenticated using this method. Script execution time is capped by default at 15 seconds.

    Context Persistence

    Starting with version 5.0.3 of the AI voice agent service, answers collected during identification and authentication are saved as session context. This allows subsequent authentication questions to access previously provided information without repeating prompts, enhancing caller experience. Context persistence applies only to scripted answers.

    Key Strengths

    • No additional devices or internet connectivity are required for users.
    • The method is familiar to most users, facilitating ease of use.

    Limitations

    • KBA relies on information known by the caller, which can potentially be guessed, found in public records, or obtained through social engineering.
    • It is not recommended as the sole verification method for high-risk or sensitive operations.
    • Best suited for low-risk scenarios such as general IT support or access to public documentation.

    Next Steps for ServiceNow Customers

    To implement or customize KBA, customers should refer to ServiceNow documentation on creating KBA questions and answers, mapping questions to answers, and integrating KBA with AI voice agent services. Proper configuration ensures effective caller identification and authentication tailored to organizational needs.

    Knowledge-based authentication (KBA) is an identification and authentication method that verifies callers by prompting them to answer preconfigured questions across conversational AI channels, such as AI voice agents. KBA can be used to identify a caller, authenticate a caller, or both within the same interaction.

    KBA validates answers against records in ServiceNow AI Platform tables. For callers whose data resides outside ServiceNow, admins can configure scripts to validate answers against external systems in real-time. External data is never imported or stored in ServiceNow AI Platform.

    How KBA works

    Identification locates the caller by matching their answer to a record in ServiceNow AI Platform or an external system. For example, a caller provides their business phone number, and the system finds a matching record. Identification runs once per session and establishes who the caller is before any sensitive interaction begins.

    Authentication verifies that the caller is who they claim to be. The caller answers one or more questions, and the system validates those answers against stored or externally sourced data.

    KBA questions can be configured for identification, authentication, or both phases, depending on admin configuration.

    External source validation

    When caller data is not stored in ServiceNow AI Platform, admins can configure a custom script on an answer record to validate the caller's response against an external system, such as a CRM or order management platform. The script receives the caller's answer as input and returns a match result.

    • For identification, the script returns the matched record.
    • For authentication, the script returns a true or false result.
    Note:
    Only snc_external users can be authenticated using external source.

    Script execution is limited to 15 seconds by default. To learn more configuration properties, see System Properties.

    Context persistence

    Starting "nowassist-aia-voice", version: "5.0.3" release, answers collected during identification and authentication are persisted as session context and are available to subsequent authentication questions. This means a caller does not have to repeat information they already provided. For example, if a caller provides a booking reference during identification, that value is accessible to authentication scripts without prompting the caller again.

    Note:
    Context persistence is available only for scripted answers, it doesn't capture non-scripted answer responses.

    Key strengths

    • No additional device or internet connectivity is required.
    • Familiar to most users.

    Limitations

    • KBA relies on information the caller knows, which can be guessed, obtained from public records, or exposed through social engineering.
    • KBA is not recommended as the sole verification method for sensitive operations.
    • KBA is best suited for low-risk scenarios, such as general IT support or public documentation access.

    For detailed configuration instructions, see: