MFA Guides

Question & Answer Method

The Question and Answer content area enables administrators to establish, configure, enable, and maintain Q&A so that users can authenticate to a system using previously established Emergency Access, user-selected or administrator-defined questions.

method_41.png

Question & Answer (Q&A) is also often referred to as Knowledge-Based Authentication or Emergency Access Authentication and it enables administrators to establish, configure, enable, and maintain Q&A so that users can authenticate to a system using previously-established Emergency Access, user-selected or administrator-defined questions.

There are five Q&A content areas.

Table 25. Q and A

Content area

Description

Profile List

Provides an overview of the configured Q&A Profiles. Available configurations include:

  • Emergency Access: Use this profile in conjunction with RapidIdentity Client to enable Emergency Access and Secure Workflows in RapidIdentity Server. The questions in this list are hard-coded and cannot be changed due to the static nature of RapidIdentity Client’s question set.

  • Secure Workflow Admin: Use this profile if you would like to create custom question sets within RapidIdentity Server for Secure Workflows.

  • Secure Workflow User: Use this profile if you would like users to create their own questions to answer for use within RapidIdentity Server for Secure Workflows.

Policies

Provides the ability for organizations to establish Q&A policies.

Question Sets

Provides the ability to create, modify and delete question sets that are assigned to Q&A profiles.

New Profile

Provides the ability for organizations to create custom profiles that can then be paired with Authentication Sets and assigned to users.

New Policy

Provides the ability to create custom Q&A policy beyond that delivered by default with RapidIdentity Server.



Once a user has been assigned to a Question Set the Set cannot be deleted or modified.

Question & Answer - Profile List

Profile List is the default content area and provides an overview of the defined Q&A configurations.

From this content area, administrators can edit or delete previously configured Q&A profiles. By default, the Emergency Access question set is defined containing 27 commonly-used secret questions. These questions are used for Emergency Access and Secure Workflows. Administrators cannot edit or change these questions due to the requirement for these questions to be present in RapidIdentity Client, however, Administrators may edit the default Administrator Defined Question list that contains ten pre-defined questions or may make a new list altogether.

Administrators also have enhanced flexibility with these 4 options:

  1. Increase the number of user-defined questions

  2. Establish administrator-defined questions

  3. Create an M of N structure that requires users to answer a defined number of previously-enrolled questions, such as three of five

  4. Create a policy that defines the length of answers users must provide and whether the user may repeat answers within the same answer set

Question & Answer - Edit Profile List

To edit a Q&A Profile List, click Edit.

method_42.png

After updating the configuration, click Save or Cancel to discard.

Question & Answer - Policies

Question and Answer Policies define four Q&A set criteria.

  1. The number of questions the user must select (or provide in the case of user-defined) during enrollment.

  2. The number of questions the user will be challenged with during routine challenges such as Emergency Access and Secure Workflows. In all cases, the user is required to answer all questions correctly. There is no margin of error in RapidIdentity Server Question and Answer logic. However, user answers are case insensitive, and spacing is removed, in order to reduce the likelihood of common errors in typing.

  3. The minimum number of characters that must be present in each answer. This feature addresses the problem with users answering single letter answers to all their questions.

  4. The requirement for all answers to be unique. This feature addresses the problem with users answering the same answer to every question.

method_43.png

The two policies shown are default with varying degrees of security from High to Low. The default Policy contains a policy based upon best practices.

Each of these default policies can be modified by clicking Edit.

Question & Answer - Edit Policy

To edit an OTP Policy, click Edit.

method_50.png

After modifying any desired settings, click Save or Cancel to discard.

Question & Answer - Question Sets

Questions Sets are groupings of questions that can be assigned to a Q&A Policy it can then be assigned to a user.

method_45.png

Administrators can create a new set and define custom questions by clicking Add in each of the respective fields. Sets can be removed by clicking Delete.

When new questions are created within the admin portal, those questions will not be available for users to register with.

In order to use custom questions, contact Identity Automation Support to create a custom template that can be imported into your SQL database by us. Most customers find that the 27 default questions provided are sufficient for their environment.

Question & Answer - New Profile

To assign a new Profile to a Set, administrators must first create the New Profile.

method_46.png

Complete the fields as desired and click Add or Cancel to discard.

Question & Answer - New Policy

To assign a new Policy to a Profile, create the new Q&A Policy first.

method_47.png

Complete the fields as desired and click Add or Cancel to discard.

Table 26. New Policy

Field

Description

Required Answers

This number represents how many questions must be enrolled.

Required Correct

This number represents how many correct answers are needed.

Minimum Answer Length

The minimum answer length.

Require Unique Answers

Determines whether correct answers can be repeated across different questions.