Managing Security QuestionsManaging Security Questions
Security questions is an authentication method that requires users to answer questions in order to authenticate. During enrollment or when users access the Self-Service Console for the first time, users are presented with several questions, which they must answer. Later when users authenticate, the users must answer a subset of these questions with the same answers that they provided during enrollment.
Security questions are used under the following conditions:
- When the primary authentication method results in a failed authentication and the Forgot your password link is enabled in the Self-Service Console
- To confirm identity for risk-based authentication (RBA)
If you want to allow users to change their answers, you must clear their existing answers. For example, you might need to do this when users forget their answers, or when users believe that their answers are compromised. After you clear a user’s answers, the user is prompted to provide new answers at the next logon. For instructions, see Clear User Answers to Security Questions.
A file of questions is provided for English-speaking users, which you can modify to create a new question file. You can also create a file of non-English questions in any supported language. When you create a new set of questions or modify just one question, the new file replaces the existing file.
You specify the number of questions that users must answer during enrollment or when accessing the Self-Service Console for the first time. You also specify the number of questions that users must answer during authentication. The number of questions that you specify for enrollment should be greater than the number of questions that you specify for authentication. If you specify fewer questions for authentication than you specify for enrollment, users can choose which questions to answer for authentication.
For self-service troubleshooting, the number of available questions must exceed the number of questions required for authentication.
Set Requirements for Set Requirements for Security QuestionsSecurity Questions
You specify the number of security questions that users must answer during enrollment or when they access the Self-Service Console for the first time, and the number of questions that users must answer correctly during authentication. If the total number of security questions specified for enrollment exceeds the number of questions specified for authentication, the user can choose which questions to answer for authentication.
Procedure
-
In the Security Console, click Setup > System Settings.
-
Click Security Questions Requirements.
-
In the Enrollment field, specify the number of questions users must answer during enrollment. Modifying this setting does not affect users who are currently enrolled.
-
In the Authentication field, specify the number of questions users must answer correctly during authentication.
-
Click Save.
Custom Security QuestionsCustom Security Questions
You can customize the text and language of security questions by creating and importing a customized XML file into the database. When you create a new security questions file, you can make the following modifications:
- Change the existing English text. Edit the existing XML file to change the wording of the existing questions or add new questions of your own.
- Change the language. Create a new XML file using the provided template. Specify the language ID, and enter the security questions written in the selected language.
The RSA Authentication Manager Extras ZIP file includes a security questions sample file (SecurityQuestionsSample.xml) that you can use as a template. The file looks similar to the following example:
<?xml version=”1.0” encoding=”UTF-8”?>
<SECURITY_QUESTIONS>
<LANGUAGE id=”en_US”>
<QUESTION>first question</QUESTION>
<QUESTION>second question</QUESTION>
<QUESTION>third question</QUESTION>
</LANGUAGE>
</SECURITY_QUESTIONS>
The Security Questions Sample folder in the Extras ZIP file also includes a security questions file schema (SecurityQuestions.xsd) for validating a modified or new security questions file.
A deployment can have only one active security questions file. If you modify the existing security questions and import the modified file, users must complete security questions enrollment again.
Follow these guidelines when customizing security questions:
- Create a separate XML file for each LANGUAGE. For example, if you need questions in three languages, you must create three language files.
- Each XML file must include the XML language attribute that identifies the language used to write the questions. For a list of supported language ID codes, see Language Codes for Security Questions.
- You must type the text in the actual language. Authentication Manager does not translate languages.
- A security question can contain up to 255 characters.
- The security questions file must contain at least as many security questions as you have specified for enrollment. For more information, see Set Requirements for Security Questions.
- You cannot delete a security questions file.
Modify the Security Modify the Security Questions FileQuestions File
Security questions are contained in an XML file that is saved in the database. A set of default questions is provided for English speaking users. You can modify the default questions by changing them or adding additional questions. Once your work is finished, you import the modified XML file into the database. When you import the new file, the language set in the new file replaces the corresponding set in the system. For example, all of the English questions in the new file replace all of the previous English questions. Therefore, if you modify even one question in the existing file, you must reimport the entire file.
Decide carefully whether to modify an existing security questions file. Each time you import a file to modify existing questions, all of the user answers to the previous questions are deleted. Users must reenter their answers. RSA recommends that you customize the security questions before any users answer the security questions.
Procedure
-
View the example in the security questions sample file (SecurityQuestionSample.xml) in the RSA Authentication ManagerExtras ZIP file.
-
Create a separate security questions XML file for each LANGUAGE element. For example, if you need questions in three languages, create a file for each language.
-
Type the security questions in each file using the actual language. Authentication Manager does not translate languages. A security question can contain up to 255 characters. Add at least as many security questions as are required by your security questions enrollment setting.
-
Make sure that each XML file includes a language ID code that matches the language of the text. For a list of supported language ID codes, see Language Codes for Security Questions.
-
Validate each file using the security questions file schema (SecurityQuestions.xsd) in the RSA Authentication ManagerExtras ZIP file.
After you finish
Import each new security questions file. For instructions, see Import Security Questions.
Import Security QuestionsImport Security Questions
After adding or modifying a set of security questions, you need to import the new security questions file. Importing a security questions file overwrites the existing file with the new file. All of the existing questions are replaced with the questions in the new file.
Note: When you import a new security questions file, the system deletes all answers to the set of security questions that you modified. This affects users who have already enrolled and entered answers to their security questions.
You can run a report that identifies which users need to answer the updated security questions. Run a report using the All Users template, and set the Security Questions Language parameter to include the language that you are modifying. You can also include attributes, such as Email, that allow you to contact those users.
Procedure
-
In the Security Console, click Setup > System Settings.
-
Click Security Questions Management.
-
Click Import Security Questions.
-
Click Browse, and attach the security questions file.
-
Click Import.
-
Select Yes, import security questions file, and click Import.
Language Codes for Security QuestionsLanguage Codes for Security Questions
Security questions is an authentication method in which the user enrolls by answering questions and then provides the same answers during authentication. This method is used for logging on to the Self-Service Console, and can be used as an identity confirmation method for risk-based authentication (RBA).
A default set of questions is provided for English-speaking users, but you can modify the questions and create new sets of questions in any supported language. To modify or add security questions, you must create a security questions file and import it. For more information, see Modify the Security Questions File and Import Security Questions.
In the security questions file, you must identify the language using the id attribute and the corresponding attribute value, for example:
<LANGUAGE id=“ar_KW”>
All supported languages are listed alphabetically in the table. Locate the language of the security questions that you want to add to the security questions file, and use the corresponding id attribute value to identify the language.
Note: You can maintain only one set of security questions for each id attribute value.
If more than one entry describes the language of the security questions that you are adding to your deployment, you can use either id attribute value.
|
Language, Country, and Variant |
id Attribute Value |
|
Arabic |
ar |
|
Arabic, Algeria |
ar_DZ |
|
Arabic, Bahrain |
ar_BH |
|
Arabic, Egypt |
ar_EG |
|
Arabic, Iraq |
ar_IQ |
|
Arabic, Jordan |
ar_JO |
|
Arabic, Kuwait |
ar_KW |
|
Arabic, Lebanon |
ar_LB |
|
Arabic, Libya |
ar_LY |
|
Arabic, Morocco |
ar_MA |
|
Arabic, Oman |
ar_OM |
|
Arabic, Qatar |
ar_QA |
|
Arabic, Saudi Arabia |
ar_SA |
|
Arabic, Sudan |
ar_SD |
|
Arabic, Syria |
ar_SY |
|
Arabic, Tunisia |
ar_TN |
|
Arabic, United Arab Emirates |
ar_AE |
|
Arabic, Yemen |
ar_YE |
|
Belarusian |
be |
|
Belarusian, Belarus |
be_BY |
|
Bulgarian |
bg |
|
Bulgarian, Bulgaria |
bg_BG |
|
Catalan |
ca |
|
Catalan, Spain |
ca_ES |
|
Chinese |
zh |
|
Chinese, China, Simplified |
zh_CN |
|
Chinese, Hong Kong |
zh_HK |
|
Chinese, Taiwan, Traditional |
zh_TW |
|
Croatian |
hr |
|
Croatian, Croatia |
hr_HR |
|
Czech |
cs |
|
Czech, Czech Republic |
cs_CZ |
|
Danish |
da |
|
Danish, Denmark |
da_DK |
|
German |
de |
|
German, Austria |
de_AT |
|
German, Germany |
de_DE |
|
German, Luxembourg |
de_LU |
|
German, Switzerland |
de_CH |
|
Greek |
el |
|
Greek, Greece |
el_GR |
|
English, Australia |
en_AU |
|
English, Canada |
en_CA |
|
English, India |
en_IN |
|
English, Ireland |
en_IE |
|
English, New Zealand |
en_NZ |
|
English, South Africa |
en_ZA |
|
English, United Kingdom |
en_GB |
|
Estonian |
et |
|
Estonian, Estonia |
et_EE |
|
Finnish |
fi |
|
Finnish, Finland |
fi_FI |
|
French |
fr |
|
French, Belgium |
fr_BE |
|
French, Canada |
fr_CA |
|
French, France |
fr_FR |
|
French, Luxembourg |
fr_LU |
|
French, Switzerland |
fr_CH |
|
Hindi, India |
hi_IN |
|
Hebrew |
iw |
|
Hebrew, Israel |
iw_IL |
|
Hungarian |
hu |
|
Hungarian, Hungary |
hu_HU |
|
Icelandic |
is |
|
Icelandic, Iceland |
is_IS |
|
Italian |
it |
|
Italian, Italy |
it_IT |
|
Italian, Switzerland |
it_CH |
|
Japanese |
ja |
|
Japanese, Japan |
ja_JP |
|
Korean |
ko |
|
Korean, South Korea |
ko_KR |
|
Latvian |
lv |
|
Lithuanian |
lt |
|
Lithuanian, Lithuania |
lt_LT |
|
Russian |
ru_RU |
|
Spanish |
es |
|
Spanish, Argentina |
es_AR |
|
Spanish, Bolivia |
es_BO |
|
Spanish, Chile |
es_CL |
|
Spanish, Colombia |
es_CO |
|
Spanish, Costa Rica |
es_CR |
|
Spanish, Dominican Republic |
es_DO |
|
Spanish, Ecuador |
es_EC |
|
Spanish, El Salvador |
es_SV |
|
Spanish, Guatemala |
es_GT |
|
Spanish, Honduras |
es_HN |
|
Spanish, Mexico |
es_MX |
|
Spanish, Nicaragua |
es_NI |
|
Spanish, Panama |
es_PA |
|
Spanish, Paraguay |
es_PY |
|
Spanish, Peru |
es_PE |
|
Spanish, Puerto Rico |
es_PR |
|
Spanish, Spain |
es_ES |
|
Spanish, Uruguay |
es_UY |
|
Spanish, Venezuela |
es_VE |
|
Thai |
th |
|
Thai, Thailand |
th_TH |
|
Thai, Thailand, TH |
th_TH_TH |
|
Vietnamese |
vi |
|
Vietnamese, Vietnam |
vi_VN |
View All Security Questions for the DeploymentView All Security Questions for the Deployment
You can view all sets of security questions for your deployment. For each set, you can view the number of users enrolled, the total number of security questions in the set, and the actual questions.
Procedure
-
In the Security Console, click Setup > System Settings.
-
Under Authentication Settings, click Security Questions Management.
-
Under the language section, select Show Security Questions.
The security questions for your deployment are displayed.
Clear User Answers to Security QuestionsClear User Answers to Security Questions
You can clear a user's answers to security questions. For example, you might want to do this if the user forgot the answers, or if the security of the answers was compromised in some way. After answers are cleared, the user must provide new answers in order to use security questions for self-service troubleshooting or risk-based authentication.
Procedure
-
In the Security Console, click Identity > Users > Manage Existing.
-
Use the search fields to find the user that you want to edit. Some fields are case sensitive.
-
Click the user that you want to edit, and select Edit.
-
Under Account Information, select Clear user answers to security questions.
-
Click Save.
