If your deployment uses risk-based authentication (RBA), you must enable at least one identity confirmation method. RBA is a multifactor authentication solution that strengthens traditional password-based systems by applying knowledge of the client device and user behavior to assess the potential risk of an authentication request. If the assessed risk is high, the user is challenged to further confirm his or her identity using one of the following methods:
On-demand authentication (ODA). The user must correctly enter a PIN and a one-time tokencode that is sent to a preconfigured mobile phone number or e-mail account.
Security questions. The user must correctly answer one or more pre-enrolled security questions.
If you enable both security questions and ODA, the user can choose to configure one or both methods. With both methods configured, the user can choose a method when prompted to confirm identity.