Configure a Knowledge Questions authentication mechanism

The Knowledge Questions authentication mechanism is an extra step-up authentication measure that uses knowledge questions and answers to authenticate the user.

The user must register answers to the knowledge questions the mechanism uses during authentication.

The mechanism requires users to provide personal information to successfully authenticate. We can use the Knowledge Questions authentication mechanism:

• With user ID and password authentication to provide two-factor authentication.
• As a step-up authentication method when the user accesses a high-value resource or performs a high-value transaction.

The administrator can configure the mechanism to provide a predetermined list of knowledge questions, or the user can specify and register their own knowledge questions. Typical knowledge questions about the user might include:

• Mother's maiden name.
• Name of first grade teacher.
• Name of favorite pet.

Steps

1. Log in to the local management interface.
2. Click AAC.

3. Under Policy, click Authentication.

4. Click Mechanisms.

5. Click Knowledge Questions.

6. Click .

7. Click the Properties tab.

   1. Select a property to configure.

   2. Click .

   3. Enter the value for that property.

   4. Click OK.

8. Take note of the properties for the mechanism.

   Allow User Provided Questions

   Specify true to specify custom questions as opposed to pre-configured questions.

   Default value: true

   Valid values: Boolean

   Answer Hashing Algorithm

   Specify this property to indicate the hashing algorithm the appliance uses to store the knowledge questions for each user.

   Default value: SHA-256 Valid values include the following string values:

   • SHA-1
   • SHA-256
   • SHA-512

   Answer Hashing Enabled

   The mechanism uses a hashing algorithm to store hash values of the answers to the knowledge questions provided by the user instead of storing the actual answers to the knowledge questions. This prevents the administrator from reading the knowledge question answers for the user. Specify False so that the mechanism does not hash the question answer before it stores it.

   Default value: true

   Valid values: Boolean

   Correct Answers Required

   Specify the number of correct answers required for the authentication to be successful.

   Default value: 1

   Valid values: Any positive integer that does not exceed the number of questions that are stored per user.

   Retry Count Attribute Name

   Specify the number of times that a user can submit invalid answers to the knowledge questions. When the user reaches this number, they are unable to authenticate.

   Default value: user:knowledge:questions:retry:count

   Valid values: String

   Grace Period Authentication Count Attribute Name

   Specify the name of the attribute used to record the number of times the user has authenticated during the grace period. The number of times the user has authenticated during the grace period is stored in the user information database. The mechanism does not require the user to authenticate during the grace period.

   Default value: user:knowledge:questions:grace:period:count

   Valid values: String

   Maximum Amount of Answers Stored

   Specify the maximum number of question and answer combinations the mechanism can store for each user.

   Default value: 3

   Valid values: Any positive integer.

   Maximum Amount of Grace Period Authentications

   Specify the maximum number of user authentications the mechanism permits during the grace period. The mechanism does not require the user to configure knowledge questions during the grace period.

   Default value: 0

   Valid values: Any positive integer.

   Presentation Mode

   Specify Individual so the mechanism presents one knowledge question at a time. When we specify Group, the mechanism presents all of the knowledge questions in one form.

   Default value: Group

   Presentation Order

   Specify Sequential so the mechanism presents the questions in the order they are stored. When we specify Random, the mechanism presents the questions in random order.

   Default value: Random

   Questions Attribute Name

   Specify the name of the attribute used to store the user knowledge questions in the user information database.

   Default value: user:knowledge:questions

   Valid values: String

   Retry Protection Enabled

   Specify false to disable retry protection.

   Default value: true

   Valid values: Boolean

   Retry Protection Max Number Of Attempts

   Specify the maximum number of times that a user can supply incorrect answers before the mechanism prohibits the user from logging in.

   Default value: 5

   Valid values: Integer

   Retry Timeout

   Specify the number of seconds that a user must wait before trying to log in again after the user reaches the maximum number of login attempts. If a value of -1 is entered the user is locked out indefinitely until an administrator explicitly unlocks the user with the SCIM API.

   Default value: 600

   Valid values: Integer

   Use Exact Answer Matching

   Specify true so the mechanism performs an exact match when it validates the submitted answer.

   Default value: false

   Valid values: Boolean

   User Attributes Namespace

   Specify the namespace to be used to store all of the user attributes that are related to the Knowledge Questions authentication mechanism that are stored in the user information database.

   Default value: urn:ibm:security:authentication:asf:mechanism:knowledge_questions

   Valid values: String

9. Click Save.

What to do next

When configuring the mechanism, a message indicates that changes are not deployed. Deploy them. See Deploying pending changes.

Parent topic: Authentication

Related reference

• Authentication policy parameters and credentials