Configuring Security Questions
You can configure IdentityNow to use security questions or a PIN as a security measure to help ensure the person logging into an account is who they say they are. This is referred to as knowledge-based authentication (KBA).
IdentityNow provides default security questions, or you can add your own. You can alternatively configure a single PIN to use for strong authentication when resetting your password or accessing other areas in IdentityNow.
Important
You must enable security questions as a strong authentication method.
Developing Security Questions
When developing security questions for IdentityNow, keep the following in mind:
- Answers to security questions must be at least 4 characters long. Create security questions that you believe require at least four-letter answers.
- You can enable 2 - 8 security questions.
- You can require users to correctly answer up to 6 questions each time they strongly authenticate, if you have 6 or more questions enabled.
Consider whether your questions need to be translated into additional languages and ensure you can do so. You can set up IdentityNow security questions in any of the languages IdentityNow supports.
Adding and Configuring Security Questions
Enter your security questions and add languages for translations to each question as needed. Then specify how many questions a user must answer and how many of those answers must be correctly answered.
-
Go to Admin > Global > Security Settings > Security Questions.
-
Select Add in the Security Questions panel and enter a security question in the new field.
-
Select Add to add the question to IdentityNow. The new question appears in an alphabetically ordered list.
Note
Security questions cannot be edited. To update a security question, you must delete the question and add a new one.
-
If a question requires translation, select the translation icon
to the right of the question.- In the Add Translation dialog, select the security question's original language.
- Select Add and enter the translation in the selected language in the Enter Translation field.
Note
To delete a language from a question, select the X next to the translated question.
-
Select Save.
To specify how many questions must be answered and how many answers must be answered correctly:
-
From the bottom of the Security Questions panel, select values for the:
- Number of questions from master list that must be set up by user
- Number of questions a user must answer correctly to authenticate
Note
Users must correctly answer one or more security questions. You can require that users correctly answer up to 6 questions, if you have made 6 or more questions available to users.
-
Select Save.
Users must now select and answer those security questions before using them for strong authentication or password resets. Refer to the User Help topic Updating Your Preferences for details on using configured security questions.
Deleting Security Questions
If you delete a question that is currently deployed, those users must select and answer replacement questions.
Note
IdentityNow does not remember the users' answers to questions you have deleted, even if you add the same question again.
To delete a security question from IdentityNow:
-
Go to Admin > Global > Security Settings.
-
In the Security Questions panel, select the X icon next to the question you want to remove. A banner displays the number of users who have configured that question for strong authentication.
-
Select the Delete button to delete the question.
-
Select Save to apply your changes.
Requiring a PIN for Authentication
You can configure IdentityNow to use a single PIN as a security question.
Important
To make entering a PIN a required authentication method, you will be removing all other security questions. Be certain that all of the prerequisites described below are in place so that users can still access what they need until the PIN is available.
Prerequisites:
- Ensure that all identity profiles have other strong authentication and password reset methods configured so that password reset and strong authentication capabilities are available to users.
- Before implementing new PIN requirements, notify users about the authentication change, so they can expect the following scenarios:
- While you are reconfiguring your security question to use a PIN, previously-configured security questions will not be used.
- After PIN authentication has been set up, users will be prompted to set up a PIN the first time they try to access areas of IdentityNow that may have formerly required answers to multiple security questions.
- Users will be prompted to respond to a password reset or strong authentication prompt to access the Admin or Search tabs. Users may be asked to provide the verification code sent to their alternate phone.
Best Practice
Educate users to create secure PINs, such as creating PINs based on information that is easy to remember but hard for others to guess.
For example, if a user wants to create a PIN using their children's birthdays - which are 07/22 and 11/15 - they might use 07twenT@11fift33~ instead. PINs must be between 4 and 255 alphanumeric characters long.
To configure a single PIN:
-
Go to Admin > Global > Security Settings > Security Questions.
-
Select Add and add a question requesting the user's PIN to the list.
-
Select Add and delete all other questions in the list by selecting the X icon next to each question.
-
Set the following field values to 1:
- Number of questions from master list that must be set up by user
- Number of questions a user must answer correctly to authenticate
-
Select Save.
The new question requesting a PIN now always appears when users attempt to log in to IdentityNow.
After you complete the PIN-only setup, you can choose to remove the additional password reset and strong authentication capabilities that were in place during the PIN setup. Remind users what to expect once the new PIN-only setup is in place.