Setting Up Knowledge-based Authentication
Knowledge-based Authentication (KBA) is a security measure that you can implement to help ensure that the person logging into an account is really who they say they are. KBA requires users to supply secret answers to questions that others can't easily guess.
IdentityNow provides some default security questions, but you can add more to increase the security of your system. You can use KBA security questions for anything requiring strong authentication, such as:
- Password resets
- Additional access to specific areas in IdentityNow
Prerequisites
- You have IdentityNow admin permissions.
- You've completed your IdentityNow setup.
- KBA is enabled as a strong authentication method in IdentityNow.
Developing Security Questions
You can help users create robust KBA answers by providing the right type of security questions. Think about the kinds of questions you can create requiring truly unique answers – KBA that has not been used before and only the user answering the question would know.
When developing KBA questions for IdentityNow, keep the following points in mind:
- Answers to security questions must be at least four characters long. Create security questions that you believe require at least four-letter answers.
- At least two, and up to eight, security questions must be enabled in your system for KBA to function correctly.
- You can require that users correctly answer up to six questions each time they strongly authenticate, if you have six or more questions enabled.
Consider whether or not your questions need to be translated into additional languages and ensure you can do so. You can set up IdentityNow KBA in any of the different languages IdentityNow supports.
After you've developed the KBA security questions and have any required translations, you're ready to add them to IdentityNow.
Adding and Configuring Security Questions
Enter your security questions and add languages for translations to each question as needed. Then specify how many questions a user must answer and how many of those answers must be correctly answered.
To enter and configure security questions:
-
In the Admin interface, go to Global > Security Settings > Security Questions.
-
Select Add in the Security Questions panel and enter a security question in the new field.
-
Select Add to add the questions to IdentityNow. The new question appears in an alphabetically ordered list.
Note
To change a security question's content after you have added the question to the Security Questions list, you must delete the existing question and add a new question containing the edited content. Refer to Deleting Security Questions for instructions on removing questions.
-
Select the translation icon
to the right of the new question or any question requiring additional translation. The Add Translation dialog appears.
-
In the Add Translation dialog, select the security question's original language.
Note
Even if you don't need the security question translated, you still must add the language for the original question. So if your original question is in English, the first language you select would be English.
-
Select Add. For each language you select, an Enter Translation field appears next to the language. Enter the translated version of the question for the selected language.
Note
The Add Translation dialog is the only place a language can be added to or deleted from a question. To delete a language from a question, select the X next to the translated question.
-
Select Save when you have finished adding languages and translated questions.
To specify how many questions must be answered and how many answers must be answered correctly:
-
From the bottom of the Security Questions panel, select values for each of the following:
- Number of questions from master list that must be set up by user
- Number of questions a user must answer correctly to authenticate
Note
Users must correctly answer one or more security questions. You can require that users correctly answer up to six questions, if you have made six or more questions available to users.
-
Select Save. Users now need to select and answer those security questions before using them for strong authentication or password resets. Refer to the User Help topic Updating Your Preferences for details on using the configured KBA questions.
Deleting Security Questions
If any of the questions you delete are currently deployed, those users must select and answer replacement questions.
Note
IdentityNow does not remember the users' answers to questions you have deleted, even if you add the same question again.
To delete a security question from IdentityNow:
-
From the Admin interface, go to Global > Security Settings.
-
In the Security Questions panel, select the X icon next to the question you want to remove. A banner displays the number of users who have configured that question for strong authentication.
-
Select the Delete button to delete the question. If you need to add more questions, you can do so in the Security Questions panel. Refer to steps 2 through 6 in Adding and Configuring Security Questions above for instructions.
-
Select Save to apply and save your changes.
Configuring IdentityNow to Require a PIN for Authentication
You can configure KBA to always prompt users for a single PIN, rather than for answers to one or more security questions.
Important
To make entering a PIN a required authentication method, you will be removing all other KBA questions from your Security Questions list. Be certain that all of the prerequisites described below are in place so that users can still access what they need until the new PIN KBA is available.
Prerequisites:
- Ensure that all identity profiles have other strong authentication and password reset methods configured so that password reset and strong authentication capabilities are available to users trying to access KBA-protected sites when you are reconfiguring KBA.
- Before implementing any new PIN requirements, notify users about the authentication change, so they can expect the following scenarios:
- While you are in the process of reconfiguring KBA to use a PIN, any KBA methods you previously configured will not be used to secure KBA-protected areas. IdentityNow will instead prompt users trying to access the Admin tab to respond to what is usually a password reset or strong authentication prompt. Users may be asked to provide the verification code sent to their alternate phone.
- After KBA PIN authentication has been set up, users will be prompted to set up a PIN the first time they try to access areas of IdentityNow that formerly may have required answers to multiple security questions.
- Educate users on the requirements for creating secure PINs, such as how they will want to create PINs based on information that is easy to remember, but hard for others to guess. For example, if a user wants to create a PIN using their children's birthdays - which are 07/22 and 11/15 - they might use 07twenT@11fift33~ instead. PINs must be between 4 and 255 alphanumeric characters long.
After fulfilling the prerequisites, you can begin setting up KBA to require only a PIN.
To set up KBA to require a PIN only:
-
In the Admin interface, go to Global > Security Settings > Security Questions.
-
Select Add and enter a question requesting the user's PIN be added to the list.
-
Select Add and then delete all other questions in the list by selecting the X icon next to each question.
-
Set the following fields' values to 1:
- Number of questions from master list that must be set up by user
- Number of questions a user must answer correctly to authenticate
-
Select Save. The new question requesting a PIN now always appears when users attempt to log in to IdentityNow.
-
After you complete the PIN only setup, you can, if desired, remove the additional password reset and strong authentication capabilities that were in place during KBA setup. Remind users of what to expect once the new KBA PIN-only setup is in place.