Configure a Knowledge Questions authentication mechanism

The Knowledge Questions authentication mechanism is an extra step-up authentication measure that uses knowledge questions and answers to authenticate the user.

The user must register answers to the knowledge questions the mechanism uses during authentication.

The mechanism requires users to provide personal information to successfully authenticate. We can use the Knowledge Questions authentication mechanism:

The administrator can configure the mechanism to provide a predetermined list of knowledge questions, or the user can specify and register their own knowledge questions. Typical knowledge questions about the user might include:

Steps

  1. Log in to the local management interface.
  2. Click AAC.

  3. Under Policy, click Authentication.

  4. Click Mechanisms.

  5. Click Knowledge Questions.

  6. Click Modify.

  7. Click the Properties tab.

    1. Select a property to configure.

    2. Click Modify.

    3. Enter the value for that property.

    4. Click OK.

  8. Take note of the properties for the mechanism.

      Allow User Provided Questions
      Specify true to specify custom questions as opposed to pre-configured questions.

      Default value: true

      Valid values: Boolean

      Answer Hashing Algorithm
      Specify this property to indicate the hashing algorithm the appliance uses to store the knowledge questions for each user.

      Default value: SHA-256 Valid values include the following string values:

      • SHA-1
      • SHA-256
      • SHA-512

      Answer Hashing Enabled
      The mechanism uses a hashing algorithm to store hash values of the answers to the knowledge questions provided by the user instead of storing the actual answers to the knowledge questions. This prevents the administrator from reading the knowledge question answers for the user. Specify False so that the mechanism does not hash the question answer before it stores it.

      Default value: true

      Valid values: Boolean

      Correct Answers Required
      Specify the number of correct answers required for the authentication to be successful.

      Default value: 1

      Valid values: Any positive integer that does not exceed the number of questions that are stored per user.

      Retry Count Attribute Name
      Specify the number of times that a user can submit invalid answers to the knowledge questions. When the user reaches this number, they are unable to authenticate.

      Default value: user:knowledge:questions:retry:count

      Valid values: String

      Grace Period Authentication Count Attribute Name
      Specify the name of the attribute used to record the number of times the user has authenticated during the grace period. The number of times the user has authenticated during the grace period is stored in the user information database. The mechanism does not require the user to authenticate during the grace period.

      Default value: user:knowledge:questions:grace:period:count

      Valid values: String

      Maximum Amount of Answers Stored
      Specify the maximum number of question and answer combinations the mechanism can store for each user.

      Default value: 3

      Valid values: Any positive integer.

      Maximum Amount of Grace Period Authentications
      Specify the maximum number of user authentications the mechanism permits during the grace period. The mechanism does not require the user to configure knowledge questions during the grace period.

      Default value: 0

      Valid values: Any positive integer.

      Presentation Mode
      Specify Individual so the mechanism presents one knowledge question at a time. When we specify Group, the mechanism presents all of the knowledge questions in one form.

      Default value: Group

      Presentation Order
      Specify Sequential so the mechanism presents the questions in the order they are stored. When we specify Random, the mechanism presents the questions in random order.

      Default value: Random

      Questions Attribute Name
      Specify the name of the attribute used to store the user knowledge questions in the user information database.

      Default value: user:knowledge:questions

      Valid values: String

      Retry Protection Enabled
      Specify false to disable retry protection.

      Default value: true

      Valid values: Boolean

      Retry Protection Max Number Of Attempts
      Specify the maximum number of times that a user can supply incorrect answers before the mechanism prohibits the user from logging in.

      Default value: 5

      Valid values: Integer

      Retry Timeout
      Specify the number of seconds that a user must wait before trying to log in again after the user reaches the maximum number of login attempts. If a value of -1 is entered the user is locked out indefinitely until an administrator explicitly unlocks the user with the SCIM API.

      Default value: 600

      Valid values: Integer

      Use Exact Answer Matching
      Specify true so the mechanism performs an exact match when it validates the submitted answer.
      Default value: false
      Valid values: Boolean

      User Attributes Namespace
      Specify the namespace to be used to store all of the user attributes that are related to the Knowledge Questions authentication mechanism that are stored in the user information database.

      Default value: urn:ibm:security:authentication:asf:mechanism:knowledge_questions

      Valid values: String

  9. Click Save.


What to do next

When configuring the mechanism, a message indicates that changes are not deployed. Deploy them. See Deploying pending changes.

Parent topic: Authentication

Related reference