Setting Up Knowledge Based Authentication
Knowledge Based Authentication (KBA) is a security measure that you can implement to help ensure that the person logging in to an account is really who they say they are. KBA requires users to supply secret answers to questions that others can't easily guess.
IdentityNow provides some security questions out-of-the-box, but you can add more to increase the security of your system. You can use KBA security questions for anything requiring strong authentication, such as:
- Password resets
- Additional access to specific areas in IdenitityNow
- You have IdentityNow admin permissions.
- Foundation data is in place.
- KBA is enabled as a strong authentication method in IdentityNow.
Developing Security Questions
You can help users create robust KBA answers by providing the right type of security questions. Think about the kinds of questions you can create requiring truly unique answers – KBA that has not been used before and only the user answering the question would know.
When developing KBA questions for IdentityNow, keep the following points in mind:
- Answers to security questions must be at least four characters long. Create security questions that you believe require at least four-letter answers.
- At least two and no more than eight security questions must be enabled in your system for KBA to function correctly.
- You can require that users correctly answer up to six questions each time they strongly authenticate, if you have six or more questions enabled.
Also consider whether or not your questions need to be translated into languages other than the language in which you are creating your questions. If your security questions do require translations, ensure you are able to get the questions translated. You can set up IdentityNow KBA in any of the 18 different languages IdentityNow supports.
After you've developed the KBA security questions and have any required translations, you're ready to add them to IdentityNow.
Adding and Configuring Security Questions
Enter your security questions and add languages for translations to each question as needed. Then specify how many questions a user must answer and how many of those answers must be correctly answered.
To enter and configure security questions:
Click Add in the Security Questions panel and enter a security question in the new field.
Click Add to add the questions to IdentityNow. The new question appears in an alphabetically ordered list.
To change a security question's content after you have added the question to the Security Questions list, you must delete the existing question and add a new question containing the edited content. See Deleting Security Questions below for instructions on removing questions.
In the Add Translation dialog, select the security question's original language.
Even if you don't need the security question translated, you still must add the language for the original question. So if your original question is in English, the first language you select would be English.
Click Add. For each language you select, an Enter Translation field appears next to the language. Enter the translated version of the question for the selected language.
The Add Translation dialog is the only place a language can be added to or deleted from a question. To delete a language from a question, click the X next to the translated question.
Click Save when you have finished adding languages and translated questions.
To specify how many questions must be answered and how many answers must be answered correctly:
From the bottom of the Security Questions panel, select values for each of the following:
- Number of questions from master list that must be set up by user
- Number of questions a user must answer correctly to authenticate
Users must correctly answer one or more security questions. You can require that users correctly answer up to six questions, if you have made six or more questions available to users.
Click Save. Users now need to select and answer those security questions before using them for strong authentication or password resets. See the User Help topic Updating Your Preferences for details on using the configured KBA questions.
Deleting Security Questions
If any of the questions you delete are currently deployed, those users must select and answer replacement questions.
IdentityNow does not remember the users' answers to questions you have deleted, even if you add the same question again.
To delete a security question from IdentityNow:
From the Admin interface, go to Global > Security Settings.
In the Security Questions panel, click the Delete icon next to the question you want to remove. A banner displays the number of users who have configured that question for strong authentication.
Click the Delete button to delete the question. If you need to add more questions, you can do so in the Security Questions panel. See steps 2 – 6 in Adding and Configuring Security Questions above for instructions.