Skip to main content

Manage Knowledge-based (KBA) authenticators

Knowledge-based authentication (or knowledge-based authenticators) (KBA) (also known as question-and-answer (Q&A) authentication) allows a user to authenticate to a an application using Identity as a Service by providing the correct answer to one or more preregistered questions.

KBA can be used to complete first or second-factor authentication challenges when authenticating to applications. If the resource rule of an application is configured to require KBA as the first factor authenticator, the second-factor must be set to None.

You can select a number of authentication secrets or facts for each user and prompt for all answers or just a subset. Using KBA, Identity as a Service has the ability to:

  1. store and update personal answers to the questions chosen by users.
  2. save challenge questions until successful completion of all questions in the challenge (this is called challenge retention).
  3. lock out a user based on a configured number of failed attempts.
  4. set the maximum number of questions presented to a user during authentication.
  5. set the number of questions that a user can answer incorrectly (if any) and still pass authentication.
  6. randomly present a subset of questions for the user from the stored question set.

Identity as a Service accounts have a default system-defined list of questions. A user can include answers to any of these questions when assigning a KBA to their account. The personalized answers ensure that only the user is likely to respond correctly. The answers are stored in encrypted form in the Identity as a Service repository.

Additional questions can be added to the list of those available on an Identity as a Service account. These are known as administrator-defined questions.

Only one KBA can be added by a user to their own list of authenticators on the User portal. A user cannot create a KBA that includes the following:

  1. Less answers to questions than the minimum number defined by the Maximum Q&A Challenge Size setting of your Identity as a Service account
  2. More answers to questions than the maximum number defined by the Maximum Number of Q&A Pairs setting of your Identity as a Service account
  3. Identical answers

Configure knowledge-based authenticators

To manage knowledge-based authenticators, your role must include User Knowledge-based Authenticator Management permissions.

To configure Identity as a Service for KBA, complete the following tasks:

Create a list of administrator-defined questions

Create a list of questions and answers for users to select using the following criteria as a guideline:

Privacy

Organizations are subject to legislation and regulations relating to the collection, storage, control, and handling of personal information.

It is prudent to avoid personal information when building a knowledge-based authentication system.

Construct the information collected for question-and-answer sets so that it is used exclusively for authentication purposes.

Security

Construct questions so that the answers are difficult to obtain or guess.

For privacy reasons, answers should not include personal information such as names, family histories and birth dates. Identity thieves regularly find or steal personal information.

Avoid questions that have a limited number of realistic answers. For example, What is my eye color? would not require many attempts to guess a correct answer.

Users should not save their questions and answers to an electronic file on their computers or portable devices. An attacker could use the answers in the file to impersonate the user.

Users should not write their questions and answers on a physical medium (such as paper) where someone else can find the answers. An attacker could memorize or steal the answers to impersonate the user.

Educate users on appropriate knowledge-based questions and answers to prevent users from exposing their authentication data to an attacker, both physically and electronically.

Usability

Knowledge-based authentication must be simple and easy for users to use.

The questions should apply to every one of your users. For example, the question What is the name of my first pet? only applies to pet owners.

An answer must be easily recalled for the question to be useful. Questions that reflect user’s habits, regular activities, or practices generally meet this criteria.

Answers need to remain constant for the question to be of value. Questions that prompt for a “favorite” may have different responses over time, while those that ask for a “first” should not change.

A user must be able to enter a correct response each time.

Selecting a set of questions

A common practice is to have users create several question-and-answer pairs during the enrollment process. Then you use a randomly selected subset of those questions for subsequent knowledge-based authentication (KBA).

Although you may require the user to select and answer only a few questions during authentication, it is recommended that you have a large selection of questions available. This increases the odds that each user will find an appropriate set of questions and it increases the system’s resistance to attack by making it more difficult for an attacker to anticipate a given user’s questions.

It is recommended that a user enter a minimum of five answer, thereby including five question-and-answer pairs in their KBA.

Setting the challenge size

You can configure the number of questions to be presented based on the type of access or transaction the user requires. For example, access to a company information portal could require two questions while access to a online investment site could require four questions. It is recommended that a user answer at least three questions.

You can set the minimum and maximum number of required questions. See Modify knowledge-based authentication settings for more information. Once complete, set the exact number of questions for your SAML applications from the resource rule authentication decision settings. Your application must present a number of questions between the minimum and maximum, and take into account the number of wrong answers allowed (if applicable).

Configure KBA settings for your account

Customize your account KBA settings (see Modify KBA settings.

Enable KBA in your resource rules

Customize your resource rules to permit use of KBA as required (see Create resource rules).

Have users self-assign KBA

Prompt each user to assign a knowledge-based authenticator to their list of authenticators from the User portal. See the Identity as a Service User Help for information on managing KBAs from the User Portal.

Topics in this section

📄️Create Word Maps

The Word Map feature allows administrators to register a list of synonyms for words that could be part of the expected answers to question in a user's assigned knowledge-based authenticator (KBA). Once registered, the user can enter one of those synonyms instead of the expected word and still have the answer recognized as valid. The WordMap synonyms are only applied when Inexact Match Allowed for an Answer is enabled in the Knowledge-based authentication settings (see Modify knowledge-based authentication settings). These synonyms are only applied to the questions included as part of the individual user's assigned KBA.

📄️Delete retained challenges

A retained challenge is a set of questions that the user was prompted to answer but did not answer correctly. Users are forced to answer the same set of questions presented to them during a knowledge-based authentication (KBA) challenge until the time limit for answering those questions expires. The time limit is controlled by the Q&A Challenge Lifetime setting, and can be modified at any time. See Modify knowledge-based authentication settings for more information.