Security Question & Answer

    The Security Question & Answer authenticator provides a knowledge-based verification method. When enabled, users are required to answer a set of questions they configured during enrollment to verify their identity.

    How it works

    Security Question & Answer operates as a database-backed authenticator, verifying user-provided answers against those stored in the ADSelfService Plus database during enrollment. This verification occurs over secure, encrypted channels between the ADSelfService Plus application and its database.

    Prerequisite: Configuration can be done only via ADSelfService Plus' default admin account or a product technician account with Super Admin privileges.

    Configuration steps

    1. Navigate to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
    2. From the Choose the Policy dropdown, select a policy.
      Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
    3. Click Security Question & Answer.

      Security Question & Answer authenticator in ADSelfServicePlus

    4. Specify the number of administrator-defined questions to be asked during the identity verification process. For instance, if you set the administrator-defined question as 2 and have defined those two questions by clicking Configure Questions, users will now be required to answer those questions to verify their identity.
    5. To add a custom question:
      1. Click the Configure Questions link.
      2. In the window that opens, enter the question you want to ask the user in the Add New Question field.
      3. Click + to add the question to the list shown to users during enrollment.

      Security Question & Answer configuration in ADSelfServicePlus

    6. To edit/delete an existing question:
      1. Click the Configure Questions link.
      2. In the pop-up window that opens, hover the mouse pointer over the question you wish to edit or delete.
      3. Click the edit icon [ Edit icon ] to edit a question.
      4. Click the delete icon [ Delete icon ] to delete a question. Removing a question here will remove the question from the end users' question list during enrollment.

      Edit Security Question & Answer in ADSelfServicePlus

    7. To make a question mandatory:
      1. Click the Configure Questions link.
      2. In the pop-up window that opens, hover the mouse pointer over the question you wish to make mandatory.
      3. Click the asterisk icon [*] to make a question mandatory. Making a question mandatory will force the user to provide an answer to that question during MFA.

      Mandatory Security Question & Answer in ADSelfServicePlus

    8. Once you have configured your questions, click Save to save and close the pop-up window.
    9. Specify the number of user-defined questions; that is, the number of questions the user can register the questions and corresponding answers to, during the enrollment process.
    10. Specify the maximum and the minimum number of characters required in the user-defined questions.
    11. Configure the maximum and the minimum number of characters required in the answers provided by users.

    Advanced settings

    The Security Question & Answer authenticator has additional advanced settings using which you can fine-tune how the questions are displayed and answers are verified, and enforce additional security measures on users' answers.

    These advanced settings are available at Configuration > Self-Service > Multi-factor Authentication > Advanced. In the window that opens, go to the Q&A Settings tab. Click here to learn more about each setting under this tab.

    Advanced Security Question & Answer settings in ADSelfServicePlus

    Click Save.

    Deploying the authenticator for MFA

    Once the authenticator is configured, you can deploy it as an MFA method for sensitive actions like password resets and unlocks, protected endpoints, and logging into ADSelfService Plus. Click on the respective links to learn how.

    Note: This authenticator can be used to protect all endpoints and sensitive actions secured by ADSelfService Plus except MFA for VPN logins using VPN Client Verification and Offline MFA.

    Setting up user enrollment

    The last step is setting up the process for users to enroll for and utilize the Security Question & Answer authenticator. Click here for more information on the various enrollment options available in ADSelfService Plus for your users.

    Tip

    You can see how the enrollment settings you configure will be presented to your users, here.