Security questions is an authentication method that requires users to answer questions in order to authenticate. During enrollment or when users access the Self-Service Console for the first time, users are presented with several questions, which they must answer. Later when users authenticate, the users must answer a subset of these questions with the same answers that they provided during enrollment.
Security questions are used under the following conditions:
- When the primary authentication method results in a failed authentication
- To confirm identity for risk-based authentication (RBA)
If you want to allow users to change their answers, you must clear their existing answers. For example, you might need to do this when users forget their answers, or when users believe that their answers are compromised. After you clear a user’s answers, the user is prompted to provide new answers at the next logon. For instructions, see Clear User Answers to Security Questions.
A file of questions is provided for English-speaking users, which you can modify to create a new question file. You can also create a file of non-English questions in any supported language. When you create a new set of questions or modify just one question, the new file replaces the existing file.
You specify the number of questions that users must answer during enrollment or when accessing the Self-Service Console for the first time. You also specify the number of questions that users must answer during authentication. The number of questions that you specify for enrollment should be greater than the number of questions that you specify for authentication. If you specify fewer questions for authentication than you specify for enrollment, users can choose which questions to answer for authentication.
For self-service troubleshooting, the number of available questions must exceed the number of questions required for authentication.