Moving Beyond Knowledge-Based Authentication: How to Protect Against Account Takeover in the Age of Generative AI

Knowledge‑based authentication (KBA) has been the backbone of identity verification in call centers and customer service for decades. When customers forget passwords or request account changes, agents ask questions such as “What street did you grow up on?” or “What was your first car?” The assumption is that only the legitimate account holder knows the answers. Over time this method became attractive because it requires no specialized hardware and seems easy to implement and familiar to customers. Unfortunately, KBA depends on two fragile assumptions: (1) the personal data used in questions is secret and (2) human memory limits prevent instant recall. In today’s threat landscape, both assumptions are false.

Why KBA Is No Longer Adequate

Personal data is no longer private

Static KBA relies on pre‑set security questions such as mother’s maiden name, favorite food or first pet. Once this information is compromised through a data breach or social engineering, it remains compromised indefinitely because the answers do not change. Attackers can mine social media posts, open‑source intelligence and commercial databases to compile a dossier of personal information. A 2021 HelpNet Security article noted that even casual quizzes on social networks— “What was your first car?”—collect answers that can later be abused. Worse, many users reuse the same security answers across multiple accounts, enabling attackers to breach several accounts once they learn a single answer.

Dynamic KBA generates questions on the fly from credit‑bureau or transaction data (e.g., “Which bank issued your mortgage?”). While this improves unpredictability, it still relies on data stored in databases that determined attackers or AI systems can query instantly. The vulnerability is not just that the data is available, but that AI agents can access it faster than humans can think. The article “What Is Knowledge‑Based Authentication? And Why AI Just Broke It” explains how generative AI customers answer questions without hesitation, eliminating the behavioral cues (pauses, self‑corrections, forgetting) that human agents use to detect fraud.

Human memory is unreliable

KBA’s reliance on human memory has become a liability. Users frequently forget what answers they provided years ago. Google research cited by HelpNet Security found that only 47 % of people could recall their favorite food a year later, and hackers guessed correctly nearly 20 % of the time. This poor recall frustrates users and leads them to choose easily remembered (and easily guessed) answers such as names or dates. The result is a negative user experience and an increase in costly help‑desk calls for password resets.

Attackers have automated KBA exploitation

Advances in AI have destroyed the friction that made KBA work. AI agents and fraud‑as‑a‑service bots now answer KBA questions at machine speed. Voice deepfakes can mimic executives or customers, bypassing manual voice‑recognition heuristics. Social‑engineering gangs leverage synthetic voices and AI‑generated documents to exploit help‑desk agents. As Trusona’s founder Ori Eisen notes, generative AI has evolved from simple phishing into sophisticated attacks on the account‑recovery process, using ID spoofing and deepfakes that simulate voices and documents.

Regulators advise against KBA

Government and industry guidance has moved away from KBA. The U.S. National Institute of Standards and Technology (NIST) removed pre‑registered knowledge tokens from its Digital Identity Guidelines, recognizing that they are “special cases of (often very weak) passwords”. The updated NIST SP 800‑63‑4 explicitly states that knowledge‑based authentication does not constitute an acceptable secret for digital authentication. Even earlier versions of the guidelines emphasized this removal. HelpNet Security also reports that the U.S. Federal Financial Institutions Examination Council (FFIEC) recommends against relying on KBA, citing its susceptibility to social engineering. Industry articles from OneLogin and CX Today highlight that KBA has become a weak factor because the personal information it uses is widely available.

The Rising Cost of Account Takeover Fraud

Account takeover (ATO) occurs when an attacker gains control of a legitimate account, often by hijacking the account‑recovery process. According to Sift’s Q3 2025 Digital Trust Index, 83 % of organizations experienced at least one ATO incident in 2025. Projected losses from ATO fraud were $17 billion in 2025, with attack rates rising to 2.5 % across digital businesses and surging 122 % year over year in fintech. Generative‑AI deepfakes exacerbate this trend. Trusona’s launch announcement cites a 427 % increase in account‑takeover attacks in Q1 2023 compared to all of 2022. AI‑driven deepfakes of voices, documents and selfies have expanded the attack surface for social engineering.

In call centers, the situation is urgent. A Neustar poll found that 63 % of banks still rely on KBA for customer authentication. Attackers target these help desks because employees often outsource customer support and may lack training to recognize AI‑generated voices. This vulnerability is a key reason that organizations need to modernize their identity verification processes.

The Shift to Risk‑Based Authentication

Security professionals recognize that no single factor can secure accounts. Risk‑based authentication adapts the rigor of verification based on context, combining multiple factors to match the risk of the transaction. The FFIEC guidelines recommend a contextual approach that increases verification when risk is high (e.g., high‑value funds transfer) and reduces friction for low‑risk interactions. NIST’s digital identity framework uses Authentication Assurance Levels (AAL) to indicate the strength of the authentication process, with AAL2 and AAL3 requiring multiple factors. However, choosing an approach and building the infrastructure is challenging for many organizations.

Modern identity verification solutions replace or supplement KBA with document verification, biometric authentication (fingerprint, facial recognition, voice recognition), device intelligence, SIM‑swap detection, and behavioral analytics. OneLogin’s analysis of KBA pitfalls recommends moving to multi‑factor authentication (MFA), biometric authentication and behavioral biometrics. These methods are harder to spoof and do not rely on secrets that remain static. Yet even MFA is insufficient when it still includes a password or KBA as the first factor—phishing and SIM‑swap attacks can bypass SMS codes.

Enter ATO Protect: A Modern Identity‑Proofing Solution

Trusona’s ATO Protect product exemplifies the shift from static KBA to robust, risk‑based identity verification. Launched in early 2024, ATO Protect was created to secure the account‑recovery process, which is often disconnected from security measures used at account creation. The platform aims to “know who is really on the other end of a digital transaction,” addressing both fraud risk and customer experience.

How ATO Protect Works

ATO Protect uses multiple layers of verification to reduce fraud without requiring complex integration. Key features include:

Deepfake‑resistant identity verification. ATO Protect verifies the caller by scanning government‑issued documents and comparing them with authoritative data sources and account records. It uses generative‑AI resistant methods to detect spoofed documents, synthetic identities and voice deepfakes. According to Trusona, the solution instantly detects social‑engineering attacks such as man‑in‑the‑middle and SIM‑swap fraud.

Real‑time risk assessment. The platform requests customers to corroborate their identity and then validates the submitted data with authoritative sources and device behavior. Device intelligence helps identify anomalies in location, device type or network, while SIM‑swap checks ensure the phone number has not been recently ported to a different SIM card. If risk is high, the system can step up verification by requiring additional documents or biometric checks.

No‑integration deployment. Trusona emphasizes that ATO Protect can be deployed as a zero‑integration solution or via an IT service management (ITSM) API. This design allows organizations to trial the service quickly without changing existing infrastructure. For developers, the ATO Protect API works with systems like ServiceNow, Zendesk and Jira.

Passkeys and passwordless support. While ATO Protect focuses on account recovery, Trusona’s broader Authentication Cloud offers passkey support for login. Passkeys are phishing‑resistant credentials that replace passwords; after ATO verification, employees can set a passkey in their mobile browser and use it at every entry point. The combination of strong identity proofing and passwordless authentication improves both security and user experience.

Scalability and geographic coverage. ATO Protect supports worldwide scanning of government documents, multiple phone networks and thousands of document types. This breadth makes the solution suitable for multinational corporations.

Why ATO Protect Is Different from Traditional KBA

The core difference is that ATO Protect verifies a real‑world identity rather than knowledge of past events. By cross‑checking government IDs, biometric data and authoritative records, it provides high assurance that the caller is the account owner. It also uses dynamic risk assessment; low‑risk events receive minimal friction, while high‑risk requests require stronger verification. For example, a bank requesting to transfer funds after a change of address would require additional checks. This aligns with the contextual authentication recommended by risk‑based frameworks.

ATO Protect addresses the three major problems with AI‑driven KBA failure: (1) it recognizes the identity rather than the memory; (2) it differentiates between human and AI callers using device and biometric signals; and (3) it provides step‑up verification to distinguish between legitimate AI agents and malicious bots. As Trusona’s press release notes, the ability to deploy increasingly complex identity verification depending on the risk sets ATO Protect apart from current solutions.

Case Studies and Adoption

Organizations across industries have adopted ATO Protect. Testimonials on Trusona’s website include financial firms, law practices and venture capital partners who use the solution to verify clients and secure sensitive transactions. For instance, Exeter Financial uses ATO Protect to verify clients and ensure asset security. Kleiner Perkins integrates ATO Protect for all sensitive interactions across the organization. Ballistic Ventures pairs ATO Protect identity verification with verbal protocols to secure wire transfers. These endorsements demonstrate that real‑world institutions trust document verification and device intelligence over memory questions.

Migrating From KBA to ATO Protect

Switching from KBA to a modern solution like ATO Protect involves more than purchasing software; it requires operational and cultural changes. Below are recommendations for organizations planning a migration.

• Assess risk and identify vulnerable workflows

Begin by mapping the call‑center and digital workflows where KBA is currently used: password resets, account recoveries, high‑value transactions, new account creation. Determine which transactions pose the highest risk of account takeover. Sift’s data shows that fintech and finance experience the highest surge in ATO attacks, so these sectors require strong identity proofing.

• Secure executive and legal buy‑in

Investing in document verification and biometric solutions may raise privacy and regulatory questions. Involve compliance teams early to ensure the solution meets privacy laws. Because ATO Protect uses third‑party documents and personal data, organizations should evaluate data handling policies and ensure suppliers are certified (e.g., SOC 2 certified). Demonstrating the cost of fraud (e.g., $17 billion in losses) helps justify the investment.

• Pilot with a no‑integration deployment

ATO Protect offers a no‑integration option that allows organizations to test the service quickly. Start with a specific use case, such as password resets or wire‑transfer confirmations, and measure improvements in fraud reduction and user experience. Evaluate metrics such as average call handling time, successful verifications and customer satisfaction.

• Train agents and update policies

The success of a risk‑based system depends on well‑trained agents. Staff should understand how to initiate the ATO Protect workflow, interpret risk scores and proceed with step‑up verification when necessary. Policies must also cover how to handle AI callers who present valid authorization tokens, aligning with the permission‑based authentication model advocated by CX Today.

• Layer with passkeys and device‑based MFA

Document verification is only one piece of the puzzle. For ongoing interactions, encourage customers and employees to register passkeys or device‑based MFA after they have been fully verified. Passkeys eliminate password reuse and are resilient to phishing. When layered with ATO Protect, passkeys provide end‑to‑end protection from account creation through recovery.

• Monitor and adapt

Threats evolve. ATO Protect offers configurable policies to adjust risk thresholds and step‑up requirements. Regularly review fraud trends, update document verification capabilities and integrate with other security controls (e.g., behavioral analytics, transaction monitoring) to stay ahead of attackers.

Conclusion

KBA served a purpose in an era when personal information was hard to obtain and AI did not exist. Today, it is an inadequate and risky authentication method. Attackers and legitimate AI agents alike can answer KBA questions flawlessly, removing the friction that once helped distinguish genuine users from fraudsters. Regulators such as NIST explicitly disallow KBA as an acceptable secret, and industry data shows that ATO fraud is increasing dramatically. Organizations still relying on KBA risk financial losses, reputational damage and regulatory scrutiny.

Modern identity verification must confirm who is calling, not what they know. Solutions like Trusona’s ATO Protect use document scanning, device intelligence and real‑time risk analysis to verify the real‑world identity behind every transaction. By layering these capabilities with passkeys and risk‑based policies, organizations can mitigate account takeover fraud while delivering a smoother user experience. The shift away from knowledge‑based authentication is not just a technological upgrade; it is a necessary evolution to secure digital interactions in a world where generative AI has obliterated the assumptions that KBA depends on.