Knowledge-based authentication (or knowledge-based authenticators) (KBA) (also known as question-and-answer (Q&A) authentication) allows a user to authenticate to a an application using Identity as a Service by providing the correct answer to one or more preregistered questions.
KBA can be used to complete first or second-factor authentication challenges when authenticating to applications. If the resource rule of an application is configured to require KBA as the first factor authenticator, the second-factor must be set to None.
You can select a number of authentication secrets or facts for each user and prompt for all answers or just a subset. Using KBA, Identity as a Service has the ability to:
store and update personal answers to the questions chosen by users.
save challenge questions until successful completion of all questions in the challenge (this is called challenge retention).
lock out a user based on a configured number of failed attempts.
set the maximum number of questions presented to a user during authentication.
set the number of questions that a user can answer incorrectly (if any) and still pass authentication.
randomly present a subset of questions for the user from the stored question set.
Identity as a Service accounts have a default system-defined list of questions. A user can include answers to any of these questions when assigning a KBA to their account. The personalized answers ensure that only the user is likely to respond correctly. The answers are stored in encrypted form in the Identity as a Service repository.
Additional questions can be added to the list of those available on an Identity as a Service account. These are known as administrator-defined questions.
Only one KBA can be added by a user to their own list of authenticators on the User portal. A user cannot create a KBA that includes the following:
Less answers to questions than the minimum number defined by the Maximum Q&A Challenge Size setting of your Identity as a Service account
More answers to questions than the maximum number defined by the Maximum Number of Q&A Pairs setting of your Identity as a Service account
Identical answers
To configure Identity as a Service for KBA, complete the following tasks:
Create a list of questions and answers for users to select using the following criteria as a guideline:
Organizations are subject to legislation and regulations relating to the collection, storage, control, and handling of personal information.
It is prudent to avoid personal information when building a knowledge-based authentication system.
Construct the information collected for question-and-answer sets so that it is used exclusively for authentication purposes.
Construct questions so that the answers are difficult to obtain or guess.
For privacy reasons, answers should not include personal information such as names, family histories and birth dates. Identity thieves regularly find or steal personal information.
Avoid questions that have a limited number of realistic answers. For example, What is my eye color? would not require many attempts to guess a correct answer.
Users should not save their questions and answers to an electronic file on their computers or portable devices. An attacker could use the answers in the file to impersonate the user.
Users should not write their questions and answers on a physical medium (such as paper) where someone else can find the answers. An attacker could memorize or steal the answers to impersonate the user.
Educate users on appropriate knowledge-based questions and answers to prevent users from exposing their authentication data to an attacker, both physically and electronically.
Knowledge-based authentication must be simple and easy for users to use.
The questions should apply to every one of your users. For example, the question What is the name of my first pet? only applies to pet owners.
An answer must be easily recalled for the question to be useful. Questions that reflect user’s habits, regular activities, or practices generally meet this criteria.
Answers need to remain constant for the question to be of value. Questions that prompt for a “favorite” may have different responses over time, while those that ask for a “first” should not change.
A user must be able to enter a correct response each time.
Selecting a set of questionsSelecting a set of questions
A common practice is to have users create several question-and-answer pairs during the enrollment process. Then you use a randomly selected subset of those questions for subsequent knowledge-based authentication (KBA).
Although you may require the user to select and answer only a few questions during authentication, it is recommended that you have a large selection of questions available. This increases the odds that each user will find an appropriate set of questions and it increases the system’s resistance to attack by making it more difficult for an attacker to anticipate a given user’s questions.
It is recommended that a user enter a minimum of five answer, thereby including five question-and-answer pairs in their KBA.
Setting the challenge sizeSetting the challenge size
You can configure the number of questions to be presented based on the type of access or transaction the user requires. For example, access to a company information portal could require two questions while access to a online investment site could require four questions. It is recommended that a user answer at least three questions.
You can set the minimum and maximum number of required questions. See Modify knowledge-based authentication settings for more information. Once complete, set the exact number of questions for your SAML applications from the resource rule authentication decision settings. Your application must present a number of questions between the minimum and maximum, and take into account the number of wrong answers allowed (if applicable).
Customize your account KBA settings (see Modify KBA settings).
Customize your resource rules to permit use of KBA as required (see Create resource rules).
Prompt each user to assign a knowledge-based authenticator to their list of authenticators from the User portal. See the Identity as a Service User Help for information on managing KBAs from the User Portal.
To manage knowledge-based authenticators, your role must include User Knowledge-based Authenticator Management permissions.
Topics in this section:
Create and manage KBA questions