Configure a Knowledge Questions authentication mechanism
The Knowledge Questions authentication mechanism is an extra step-up authentication measure that uses knowledge questions and answers to authenticate the user.
The user must register answers to the knowledge questions the mechanism uses during authentication.
The mechanism requires users to provide personal information to successfully authenticate. We can use the Knowledge Questions authentication mechanism:
- With user ID and password authentication to provide two-factor authentication.
- As a step-up authentication method when the user accesses a high-value resource or performs a high-value transaction.
The administrator can configure the mechanism to provide a predetermined list of knowledge questions, or the user can specify and register their own knowledge questions. Typical knowledge questions about the user might include:
- Mother's maiden name.
- Name of first grade teacher.
- Name of favorite pet.
Steps
- Log in to the local management interface.
- Click AAC.
- Under Policy, click Authentication.
- Click Mechanisms.
- Click Knowledge Questions.
- Click .
- Click the Properties tab.
- Select a property to configure.
- Click .
- Enter the value for that property.
- Click OK.
- Take note of the properties for the mechanism.
- Allow User Provided Questions
- Specify true to specify custom questions as opposed to pre-configured questions.
Default value: true
Valid values: Boolean
- Answer Hashing Algorithm
- Specify this property to indicate the hashing algorithm the appliance uses to store the knowledge questions for each user.
Default value: SHA-256 Valid values include the following string values:
- SHA-1
- SHA-256
- SHA-512
- Answer Hashing Enabled
- The mechanism uses a hashing algorithm to store hash values of the answers to the knowledge questions provided by the user instead of storing the actual answers to the knowledge questions. This prevents the administrator from reading the knowledge question answers for the user. Specify False so that the mechanism does not hash the question answer before it stores it.
Default value: true
Valid values: Boolean
- Correct Answers Required
- Specify the number of correct answers required for the authentication to be successful.
Default value: 1
Valid values: Any positive integer that does not exceed the number of questions that are stored per user.
- Retry Count Attribute Name
- Specify the number of times that a user can submit invalid answers to the knowledge questions. When the user reaches this number, they are unable to authenticate.
Default value: user:knowledge:questions:retry:count
Valid values: String
- Grace Period Authentication Count Attribute Name
- Specify the name of the attribute used to record the number of times the user has authenticated during the grace period. The number of times the user has authenticated during the grace period is stored in the user information database. The mechanism does not require the user to authenticate during the grace period.
Default value: user:knowledge:questions:grace:period:count
Valid values: String
- Maximum Amount of Answers Stored
- Specify the maximum number of question and answer combinations the mechanism can store for each user.
Default value: 3
Valid values: Any positive integer.
- Maximum Amount of Grace Period Authentications
- Specify the maximum number of user authentications the mechanism permits during the grace period. The mechanism does not require the user to configure knowledge questions during the grace period.
Default value: 0
Valid values: Any positive integer.
- Presentation Mode
- Specify Individual so the mechanism presents one knowledge question at a time. When we specify Group, the mechanism presents all of the knowledge questions in one form.
Default value: Group
- Presentation Order
- Specify Sequential so the mechanism presents the questions in the order they are stored. When we specify Random, the mechanism presents the questions in random order.
Default value: Random
- Questions Attribute Name
- Specify the name of the attribute used to store the user knowledge questions in the user information database.
Default value: user:knowledge:questions
Valid values: String
- Retry Protection Enabled
- Specify false to disable retry protection.
Default value: true
Valid values: Boolean
- Retry Protection Max Number Of Attempts
- Specify the maximum number of times that a user can supply incorrect answers before the mechanism prohibits the user from logging in.
Default value: 5
Valid values: Integer
- Retry Timeout
- Specify the number of seconds that a user must wait before trying to log in again after the user reaches the maximum number of login attempts. If a value of -1 is entered the user is locked out indefinitely until an administrator explicitly unlocks the user with the SCIM API.
Default value: 600
Valid values: Integer
- Use Exact Answer Matching
- Specify true so the mechanism performs an exact match when it validates the submitted answer.
- Default value: false
- Valid values: Boolean
- User Attributes Namespace
- Specify the namespace to be used to store all of the user attributes that are related to the Knowledge Questions authentication mechanism that are stored in the user information database.
Default value: urn:ibm:security:authentication:asf:mechanism:knowledge_questions
Valid values: String
- Click Save.
What to do next
When configuring the mechanism, a message indicates that changes are not deployed. Deploy them. See Deploying pending changes.Parent topic: Authentication
Related reference