Verification of a user's identity is critical in many settings. Conventional solutions to verify user identity include knowledge-based inquiries, such as a security code or challenge. However, knowledge-based inquiries can easily be compromised by malicious users, especially when unauthorized access has been obtained to the user's account and/or devices. For example, someone who has stolen a smartphone may intercept one-time passcodes sent via text messaging and/or email to access an account.