Skip to content

Configuring Security Questions

You can configure security questions or PINs as a security measure to help ensure the person logging into an account is who they say they are. This is referred to as knowledge-based authentication (KBA).

You can use the default security questions, or you can add your own. You can alternatively configure a single PIN to reset your password.

Developing Security Questions

When developing security questions, keep the following in mind:

  • Answers to security questions must be at least 4 characters long. Create security questions that you believe require at least four-letter answers.
  • You can enable 2 - 8 security questions.
  • You can require users to correctly answer up to 6 questions each time they strongly authenticate, if you have 6 or more questions enabled.

Consider whether your questions need to be translated into additional languages and ensure you can do so. You can set up security questions in any of the supported languages.

Adding and Configuring Security Questions

Enter your security questions and add languages for translations to each question as needed. Then specify how many questions a user must answer and how many of those answers must be correctly answered.

  1. Go to Admin > Global > Security Settings > Security Questions.

  2. Select + Add in the Security Questions panel and enter a security question in the new field.

  3. Select Add to add the question. The new question appears in an alphabetically ordered list.


    Security questions cannot be edited. To update a security question, you must delete the question and add a new one.

  4. If a question requires translation, select the Add Translation icon to the right of the question.

    • In the Add Translation window, select the language.
    • Select + Add and enter the translation in the selected language in the Enter Translation field.


    To delete a language from a question, select the X next to the translated question.

  5. Select Save.

To specify how many questions must be answered and how many answers must be answered correctly:

  1. From the bottom of the Security Questions panel, select values for the:

    • Number of questions from master list that must be set up by user
    • Number of questions a user must answer correctly to authenticate


    Users must correctly answer one or more security questions. You can require that users correctly answer up to 6 questions, if you have made 6 or more questions available to users.

  2. Select Save.

Users must now select and answer those security questions before using them to reset their password. Refer to the User Help topic Updating Your Preferences for details on using configured security questions.

Deleting Security Questions

If you delete a question that is currently deployed, those users must select and answer replacement questions.


Identity Security Cloud does not remember the users' answers to questions you have deleted, even if you add the same question again.

To delete a security question:

  1. Go to Admin > Global > Security Settings.

  2. In the Security Questions panel, select the X icon next to the question you want to remove. A banner displays the number of users who have configured that question for strong authentication.

  3. Select the Delete button to delete the question.

  4. Select Save to apply your changes.

Requiring a PIN for Authentication

You can configure Identity Security Cloud to use a single PIN as a security question.


To make entering a PIN a required authentication method, you will be removing all other security questions. Be certain that all of the prerequisites described below are in place so that users can still access what they need until the PIN is available.


  • Ensure that all identity profiles have other password reset methods configured so that password reset capabilities are available to users.
  • Before implementing new PIN requirements, notify users about the authentication change, so they can expect the following scenarios:
    • While you are reconfiguring your security question to use a PIN, previously-configured security questions will not be used.
    • After PIN authentication has been set up, users will be prompted to set up a PIN the next time they try to log in.

Best Practice

Educate users to create secure PINs, such as creating PINs based on information that is easy to remember but hard for others to guess.

For example, if a user wants to create a PIN using their children's birthdays - which are 07/22 and 11/15 - they might use 07twenT@11fift33~ instead. PINs must be between 4 and 255 alphanumeric characters long.

To configure a single PIN:

  1. Go to Admin > Global > Security Settings > Security Questions.

  2. Select Add and add a question requesting the user's PIN to the list.

  3. Select Add and delete all other questions in the list by selecting the X icon next to each question.

  4. Set the following field values to 1:

    • Number of questions from master list that must be set up by user
    • Number of questions a user must answer correctly to authenticate
  5. Select Save.

The new question requesting a PIN now always appears when users attempt to log in to Identity Security Cloud.

After you complete the PIN-only setup, you can choose to remove the additional password reset capabilities that were in place during the PIN setup. Remind users what to expect once the new PIN-only setup is in place.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at