|Applies To||RSA Product Set: Adaptive Authentication (OnPrem)|
RSA Version/Condition: 7.x
|Notes||The way the secret questions work is that it will ask the user for the responses when a challenge is received with the authentication method “Question”; there is a threshold that can be modified, so the user can attempt to respond maximum as many times as specified by that threshold. After the last unsuccessful attempt, the account will be locked out. There is a counter for the failed questions that is reset on different conditions.|
The secret questions have the lowest authentication level, but the access can still be controlled with a higher authentication level (more secure) before the threshold is reached. Anyway, the Risk Engine will learn from each failure by the user and will increase the risk calculation associated with that specific user; not only that, but it will also compare the user behavior against the whole population in the system so if its risk associated gets past certain point, rules can be added to act with more secure authentication methods based on the risk.
Usually, this threshold is a small number like 3 or 5. This value can be set in the Backoffice Administration page:
1. Will the count reset after a successful login or will it continue to grow irrespective of successful logins in between?
A/ It resets after a successful login responding correctly to the questions challenge. If a login is successful without a challenge, it will not reset the counter. Only when the “Secret Question” challenge is responded properly, it will reset the counter. Also when the account is Unlocked from the Backoffice CSR admin, it will reset the users failed challenge count to zero.
2. Where can we see the counter for this fact?
A/ The counter can be found in the database, in the table RSA_CORE. ACSPUSERACCOUNT. There is a “COUNTS” field and a line for each customer, for each Authentication method. So when looking up the “ACSPNAME” equal “QUESTION” for a specific USERID, and it will tell how many times the user has failed to respond the questions before locking out. It will automatically lockout when the threshold is met, so it will not be greater than that number.
3. If we do not want to deny, can we hide the Secret Question option in the next challenge when the customer reaches that threshold (of failing the secret question authentication method 100 times)?
A/ A rule can be added to find out how many times the user has failed the questions, and before it reaches the threshold the usage of stronger authentication method can be set.
Let’s assume the threshold is 5. A rule like this can be added: