>
Policies
>Authenticators.
Knowledge-based authentication (KBA) allows a user to authenticate to an application account using Identity as a Service. There are three parts to setting up knowledge-based authentication:
● Customize the General settings (as described below)
● Create and manage questions for users
Complete the following steps, as required to customize knowledge-based authentication for your users.
Modify knowledge-based authenticator general settings
1. Click
>
Policies
>Authenticators.
2. Select Knowledge-Based Authenticator. The Knowledge-Based Authenticator page appears.
3. Set the Maximum Number of Q&A Pairs (the maximum number of paired questions and answers Identity as a Service stores for a user). A setting of 0 disables knowledge-based authentication.
4. Set the Maximum Response Size to the number of characters a response can contain, to a maximum of 255.
5. Set the Default Q&A Challenge Size to the default number of questions the application presents to users during a KBA challenge.
Note: The Knowledge-based Authentication settings of a resource rule can override this value. If so, the value entered in the resource rule must be greater-than or equal to the Minimum Q&A Challenge Size and less-than or equal to the Maximum Q&A Challenge Size.
6. Set the Minimum Q&A Challenge Size to the minimum number of questions presented to users during a KBA challenge.
The number must be greater than 0 and less than or equal to the number set in the Default Q&A Challenge Size.
7. Set the Maximum Q&A Challenge Size to the maximum number of questions presented to users during a KBA challenge.
The number must be greater than or equal to the number set in the Default Q&A Challenge Size setting.
Note: Setting Maximum Q&A Challenge Size to a value greater than Minimum Q&A Challenge Size allows you to modify a resource rule Q&A Challenge Size.
8. Do one of the following:
● Select Disable Challenge Retention to replace the challenge (namely, the set of questions) each time a challenge is requested. Users who answer a challenge incorrectly will have a new challenge presented to them for the next attempt.
– or–
● Deselect Disable Challenge Retention if you want to retain the challenge for the duration of the Q&A Challenge Lifetime. Users who answer a challenge incorrectly will have the same challenge presented to them for all subsequent attempts until they are locked out or until the challenge lifetime is exceeded. After the challenge lifetime is exceeded, a new challenge is presented.
9. Set the Q&A Challenge Lifetime in Seconds to the set number of seconds the user has to respond to the KBA challenge. If a user fails to respond within the lifetime, a new set of questions appears.
10. Select Update Lockout Count for Replaced Challenge if you want to increase the lockout count when a Q&A challenge is replaced because
● A user does answer a questions within the Q&A challenge lifetime
● A user restarts the client application without answering the question
Note: The lockout count always increases when a user enters an incorrect challenge response, regardless of how this setting is configured.
11. Set the Default Number of Wrong Answers Allowed to less than or equal the Maximum Number of Wrong Answers Allowed. A value of 0 means that no wrong answers are allowed.
Note: A resource rule can override this value. If so, the value entered in the resource rule must be less-than or equal to the Maximum Number of Wrong Answers Allowed and less-than Q&A Minimum Challenge Size of the resource rule.
12. Set the Maximum Number of Wrong Answers Allowed to set the limit that a resource rule can override the value set by the Default Number of Wrong Answers Allowed.
The value must be less than the number of questions presented, and greater than or equal to the Default Number of Wrong Answers Allowed setting.
A value of 0 means that all questions must be answered correctly.
13. Select Inexact Match Allowed for an Answer to allow a user to enter an answer that is not an exact match but matches one of the variations included in the word map file.
14. Click Save.