Managing knowledge-based authenticators

Knowledge-based authentication (KBA) allows you to authenticate by answering one or more questions. Identity as a Service provides a default, system-defined list of questions. Depending on how your administrator has configured KBA, you must answer a minimum number of questions. The personalized answers ensure that only you are likely to respond correctly. Your answers are stored in encrypted form in a repository.

KBA can be used to complete first-factor authentication challenges when logging in to Identity as a Service. Depending on how your account resource rules are configured, you can also use it to complete first or second-factor authentication challenges to SAML applications.

Add knowledge-based authenticator

You can only add one knowledge-based authenticator (KBA) to your account. When you answer a question, the question becomes available to you as an option during a KBA challenge. Unanswered questions are not included in KBA challenges. If you want to start over after saving your KBA, you must first delete the existing one before you can add a new one.

Complete the following procedure to add a KBA to your list of authenticators.

Add knowledge-based authenticator

1. Click > My Profile. The My Profile page appears.

2. Click the Authenticators tab. The Authenticators page appears.

3. Click . A drop-down list of available authenticators appears.

4. Select Knowledge-based Authenticator. The Add Knowledge-based Authenticator dialog box appears.

At the top of the dialog box, a message appears telling you the minimum number of questions that you must answer. For example, you may be required to answer 5 questions, but the KBA dialog box has 10 questions that you can answer. The minimum and maximum number of questions are set by your administrator.

5. Enter an answer for at least the minimum number of required questions.

6. Click Save. The Authenticators page now includes your Knowledge-based Authenticator.

Manage knowledge-based authenticators

Update or delete a KBA

1. Click > My Profile. The My Profile page appears.

2. Click the Authenticators tab. The Authenticators page appears.

3. Click next to the Knowledge-based Authenticator that you want to change. A drop-down list appears. Choose one of the following options, as required:

4. To update a KBA, do the following:

a. Click Update. The Update Knowledge-based Authenticator page appears.

b. Do one of the following:

– Select a new question from the drop-down list and provide an answer.

– To keep the question, but change the answer, click the answer and type a new one.

Tip: Click to see the current and new answer.

5. Click Save.

6. To delete a KBA, do the following:

a. Click Delete from the drop-down list.

b. Click Delete on the confirmation prompt.