Configuring a Knowledge Questions authentication mechanism

Edit online

The Knowledge Questions authentication mechanism is an extra step-up authentication measure that uses knowledge questions and answers to authenticate the user.

Before you begin

The user must register answers to the knowledge questions that the mechanism uses during authentication.

About this task

The mechanism requires users to provide personal information to successfully authenticate. You can use the Knowledge Questions authentication mechanism:
  • With user ID and password authentication to provide two-factor authentication.
  • As a step-up authentication method when the user accesses a high-value resource or performs a high-value transaction.
The administrator can configure the mechanism to provide a predetermined list of knowledge questions, or the user can specify and register their own knowledge questions. Typical knowledge questions about the user might include:
  • Mother's maiden name.
  • Name of first grade teacher.
  • Name of favorite pet.

Procedure

  1. Log in to the local management interface.
  2. Click AAC.
  3. Under Policy, click Authentication.
  4. Click Mechanisms.
  5. Click Knowledge Questions.
  6. Click Modify.
  7. Click the Properties tab.
    1. Select a property that you want to configure.
    2. Click Modify.
    3. Enter the value for that property.
    4. Click OK.
  8. Take note of the properties for the mechanism.
    Allow User Provided Questions
    Specify true to specify custom questions as opposed to pre-configured questions.

    Default value: true

    Valid values: Boolean

    Answer Hashing Algorithm
    Specify this property to indicate the hashing algorithm that the appliance uses to store the knowledge questions for each user.

    Default value: SHA-256

    Valid values include the following string values:
    • SHA-1
    • SHA-256
    • SHA-512
    Answer Hashing Enabled
    The mechanism uses a hashing algorithm to store hash values of the answers to the knowledge questions provided by the user instead of storing the actual answers to the knowledge questions. This prevents the administrator from reading the knowledge question answers for the user. Specify False so that the mechanism does not hash the question answer before it stores it.

    Default value: true

    Valid values: Boolean

    Correct Answers Required
    Specify the number of correct answers that is required for the authentication to be successful.

    Default value: 1

    Valid values: Any positive integer that does not exceed the number of questions that are stored per user.

    Retry Count Attribute Name
    Specify the number of times that a user can submit invalid answers to the knowledge questions. When the user reaches this number, they are unable to authenticate.

    Default value: user:knowledge:questions:retry:count

    Valid values: String

    Grace Period Authentication Count Attribute Name
    Specify the name of the attribute that is used to record the number of times the user has authenticated during the grace period. The number of times that the user has authenticated during the grace period is stored in the user information database. The mechanism does not require the user to authenticate during the grace period.

    Default value: user:knowledge:questions:grace:period:count

    Valid values: String

    Maximum Amount of Answers Stored
    Specify the maximum number of question and answer combinations that the mechanism can store for each user.

    Default value: 3

    Valid values: Any positive integer.

    Maximum Amount of Grace Period Authentications
    Specify the maximum number of user authentications that the mechanism permits during the grace period. The mechanism does not require the user to configure knowledge questions during the grace period.

    Default value: 0

    Valid values: Any positive integer.

    Presentation Mode
    Specify Individual so that the mechanism presents one knowledge question at a time. When you specify Group, the mechanism presents all of the knowledge questions in one form.

    Default value: Group

    Presentation Order
    Specify Sequential so that the mechanism presents the questions in the order that they are stored. When you specify Random, the mechanism presents the questions in random order.

    Default value: Random

    Questions Attribute Name
    Specify the name of the attribute that is used to store the user knowledge questions in the user information database.

    Default value: user:knowledge:questions

    Valid values: String

    Retry Protection Enabled
    Specify false to disable retry protection.

    Default value: true

    Valid values: Boolean

    Retry Protection Max Number Of Attempts
    Specify the maximum number of times that a user can supply incorrect answers before the mechanism prohibits the user from logging in.

    Default value: 5

    Valid values: Integer

    Retry Timeout
    Specify the number of seconds that a user must wait before trying to log in again after the user reaches the maximum number of login attempts.
    Note: If a value of -1 is entered the user is locked out indefinitely until an administrator explicitly unlocks the user with the SCIM API.

    Default value: 600

    Valid values: Integer

    Use Exact Answer Matching
    Specify true so that the mechanism performs an exact match when it validates the submitted answer.
    Default value: false
    Valid values: Boolean
    User Attributes Namespace
    Specify the namespace to be used to store all of the user attributes that are related to the Knowledge Questions authentication mechanism that are stored in the user information database.

    Default value: urn:ibm:security:authentication:asf:mechanism:knowledge_questions

    Valid values: String

  9. Click Save.

What to do next

When you configure the mechanism, a message indicates that changes are not deployed. Deploy them. See Deploying pending changes.