Use this guide to enable knowledge-based questions and answers (KBA / KBQ) as a Multi-Factor Authentication method.
1. Integrate an on-premises directory with SecureAuth IdP
2. Create a Service Account for SecureAuth IdP with read privileges to access the data store, and write privileges to update knowledge-based questions and answers
If using Active Directory as the data store, see the document SecureAuth Service Account setup and configuration guide for Active Directory for information about choosing attributes and configuring the SecureAuth Service Account
If using another solution for a data store, such as SQL Server or OpenLDAP, consult SecureAuth support for further assistance
3. Select two readable and writable attributes from the data store to be used with the KBA feature
The selected attribute(s) will be used to store the question and answer information in the user profile
However, if using the Base64 setting, only the KB Questions attribute is required
Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for more information
4. Create a New Realm or access an existing realm in the SecureAuth IdP Web Admin in which KBA is used as a Multi-Factor Authentication method
5. Configure the following tabs in the Web Admin
- Overview – the description of the realm and SMTP connections must be defined
- Data – one or more data stores can be integrated with SecureAuth IdP
- Workflow – the way in which users will access the target must be defined
- Multi-Factor Methods – the KBA Multi-Factor Authentication method that will be used to access the target (if any) must be defined
- Post Authentication – the target resource or post authentication action must be defined
- Logs – the logs that will be enabled or disabled for this realm must be defined
1. In the Profile Fields section, map the SecureAuth IdP Property to the appropriate data store Field for KB Questions
For example, in the sample image, KB Questions is located in the houseIdentifier data store Field
2. Change the Source from Default Provider if another directory is enabled in the Profile Connection Settings section and contains the Property
See the Data Tab Configuration guide for information on configuring Profile Connection Settings
3. Check Writable for KB Questions so that SecureAuth IdP can make changes in the data store
4. Map the KB Answers Profile Property to the appropriate data store Field – e.g. homePostalAddress – and check Writable
If Base64 is selected from the KB Format field in the Registration Methods tab (step 6 below), then step 4 is not required
Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for more information
Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes
5. In the Multi-Factor Configuration section, under Knowledge Based Settings, select Enabled from the KB Questions dropdown
6. Select the preferred KB Format from the dropdown
SecureAuth recommends selecting Encryption because although encoding the KB information with the Base64 algorithm typically makes them unreadable by the naked eye, they are as easily decoded as they are encoded – security is not the intent of this option
7. Select the Number of Questions from which the end-user will be able to choose during authentication
8. Select True from the KB Conversion dropdown only if changes are being made to move from Base64 to Encrypted settings
Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes
The following optional configurations can be made for KBA realms
- Customize knowledge-based questions (Overview tab)
- Prompt end-users to provide missing knowledge-based answers information (Multi-Factor Methods tab)
- Ensure the same license certificate is used by all servers in a multi-server environment that has the option to encrypt KBA information enabled (System Info tab)
Knowledge-based questions can be customized to provide end-users with a list of new or modified questions
1. In the Advanced Settings section, click Content and Localization
2. In the Verbiage Editor section, scroll down to find the list of knowledge-based attributes with corresponding knowledge-based questions that can be edited
3. Edit knowledge-based questions, as necessary
Any edits made to knowledge-based questions must be made in all realms that will prompt end-users for knowledge-based answers, in order to provide a consistent end-user experience
Click Save once the configurations have been completed and before leaving the Overview page to avoid losing changes
End-users who are authenticated in the environment can be prompted to provide answers to knowledge-based questions if none on file currently exist
1. In the Multi-Factor Configuration section, under Multi-Factor Settings, check Missing KB Answers in the Inline Initialization field if end-users should be prompted to provide answers to knowledge-based questions if there are none on file
Click Save once the configurations have been completed and before leaving the Multi-Factor Methods page to avoid losing changes
In a multi-SecureAuth IdP environment that uses encrypted KBA information, each server must use the same license certificate in order to ensure a seamless end-user experience
1. In the License Info section, click Select Certificate
2. In the Select Certificate window, verify the selected certificate is the one that will be used on all SecureAuth IdP servers
3. If another certificate needs to be used, then select the radio button corresponding to that certificate
4. Click Select to close the window
Perform the steps in this section for all SecureAuth IdP servers in the environment
Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes