Skip to main content

Manage Knowledge-based (KBA) authenticators

Knowledge-based authentication, or knowledge-based authenticators (KBA), also known as question-and-answer (Q&A) authentication, lets a user authenticate to an application using IDaaS by providing the correct answer to one or more preregistered questions.

KBA can be used to complete first- or second-factor authentication challenges when users authenticate to applications. If an application resource rule requires KBA as the first-factor authenticator, set the second factor to None.

You can select a number of authentication secrets or facts for each user and prompt for all answers or just a subset. Using KBA, IDaaS has the ability to:

  • Store and update personal answers to the questions chosen by users.
  • Save challenge questions until successful completion of all questions in the challenge (this is called challenge retention).
  • Lock out a user based on a configured number of failed attempts.
  • Set the maximum number of questions presented to a user during authentication.
  • Set the number of questions that a user can answer incorrectly (if any) and still pass authentication.
  • Randomly present a subset of questions for the user from the stored question set.

IDaaS accounts have a default system-defined list of questions. A user can include answers to any of these questions when assigning a KBA to their account. The personalized answers ensure that only the user is likely to respond correctly. The answers are stored in encrypted form in the IDaaS repository.

Additional questions can be added to the list of those available on an IDaaS account. These are known as administrator-defined questions.

Only one KBA can be added by a user to their own list of authenticators on the User portal. A user cannot create a KBA that includes the following:

  • Less answers to questions than the minimum number defined by the Maximum Q&A Challenge Size setting of your IDaaS account.
  • More answers to questions than the maximum number defined by the Maximum Number of Q&A Pairs setting of your IDaaS account.
  • Identical answers.

Configure knowledge-based authenticators

To manage knowledge-based authenticators, your role must include User Knowledge-based Authenticator Management permissions.

To configure Identity as a Service for KBA, complete the following tasks:

Create a list of administrator-defined questions

Create a list of questions and answers for users to select using the following criteria:

  • Privacy. Avoid personal information when you build a knowledge-based authentication system. Use the collected question-and-answer sets only for authentication purposes.

  • Security. Make the answers difficult to obtain or guess.

    • Do not use personal information such as names, family histories, or birth dates.
    • Avoid questions with only a few realistic answers. For example, What is my eye color? would not require many attempts to guess correctly.
    • Do not save questions and answers in electronic files on computers or portable devices.
    • Do not write questions and answers on physical media, such as paper, where someone else can find them.
    • Educate users on appropriate knowledge-based questions and answers so they do not expose their authentication data.

  • Usability. Make knowledge-based authentication simple and easy to use.

    • Use questions that apply to all users. For example, What is the name of my first pet? only applies to pet owners.
    • Make sure each answer is easy for the user to recall.
    • Use questions with answers that remain consistent over time.
    • Make sure the user can enter a correct response each time.

  • Selecting a set of questions. Have users create several question-and-answer pairs during enrollment, then use a randomly selected subset of those questions for subsequent knowledge-based authentication (KBA).

    • Although you may require users to answer only a few questions during authentication, Entrust recommends providing a large selection of questions. A larger question set increases the likelihood that each user will find an appropriate set of questions and makes the system harder to attack because an attacker has less certainty about which questions a user will see.
    • Users should enter at least five answers, creating five question-and-answer pairs in their KBA.

  • Setting the challenge size. Configure the number of questions to present based on the type of access or transaction the user requires.

    • For example, access to a company information portal could require two questions, while access to an online investment site could require four questions. Entrust recommends that a user answer at least three questions.
    • Set the minimum and maximum number of required questions. See Modify knowledge-based authentication settings for more information.
    • Set the exact number of questions for your SAML applications from the resource rule authentication decision settings. Your application must present a number of questions between the minimum and maximum, and take into account the number of wrong answers allowed, if applicable.

Configure KBA settings for your account

Customize your account KBA settings (see Modify KBA settings).

Enable KBA in the resource rules

Customize your resource rules to permit use of KBA as required (see Create resource rules).

Have users self-assign KBA

Prompt each user to assign a knowledge-based authenticator to their list of authenticators from the User Portal.

Topics in this section