This guide explains when and how to use knowledge-based authentication to confirm a user’s identity.
Meeting the Digital Service Standard
To pass point 13 (make the user experience consistent with GOV.UK) in your service assessments, you must use GOV.UK design patterns and guidance.
Read the guide on using, adapting and creating patterns before you start designing or building anything.
When to use knowledge-based authentication
Knowledge-based authentication should only be used when you need to confirm someone’s identity. It’s intended mainly for use by identity verification partners working with GOV.UK Verify.
Use knowledge-based authentication to confirm someone’s identity by asking them a series of questions that only they are likely to know the answer to.
Their answers should be compared to your data, which must be from a reliable source (for example, their bank).
Call it an ‘identity test’
Be honest about the purpose of any questions you ask users and reassure them by explaining where the data has come from.
If you’re using data from someone’s credit history, reassure them that their credit rating won’t be affected by the process.
Make the identity test easy to use
Write in plain English and stick to one question on each page.
If you’re naming financial or other institutions, use their commonly known name.
If you’re asking users to choose from multiple options, show a set of radio buttons rather than hiding them in a drop-down list.
Don’t reveal right or wrong answers
Revealing answers that are wrong allows fraudsters to learn the correct answers by trial and error.
For the same reason, don’t stop asking questions as soon as the user passes or fails.
Don’t use National Insurance numbers
Using National Insurance numbers to verify a user’s identity can leave your users and your service at risk of fraud. Find out how to protect your service against fraud if you currently use National Insurance numbers to verify identity.
Discuss knowledge-based authentication
You may also find these guides useful: