| Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager Release 11g (11.1.1) Part Number E14568-02 |
|
|
View PDF |
| Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager Release 11g (11.1.1) Part Number E14568-02 |
|
|
View PDF |
This chapter introduces you to the concepts behind knowledge-based authentication (KBA), and provides information about managing tasks that impact challenge questions, validations and levels of logic algorithms used for answers, question categories, and levels of logic algorithms used for registration.
Sections in this chapter are:
This section describes knowledge based authentication (KBA) key concepts.
Oracle Adaptive Access Manager provides out-of-the-box secondary authentication in the form of knowledge based authentication (KBA). KBA is a secondary authentication method, an extension to the existing authentication method. It is presented after successful primary authentication (for example, a user entering a single factor credentials, such as a username and password) to improve authentication strength.
KBA provides an infrastructure for
Users to select questions and provide answers which are used to challenge them later on
KBA is used to authenticate an individual based on the user's answers substantiated by a real-time interactive question and answer process.
Levels of logic algorithm for registration
Registration Logic manages the registration of challenge questions and answers.
Levels of logic algorithm for answers
Answer Logic is made up of advanced matching algorithms (fuzzy logic) used by the system to intelligently detect the correct answers in the challenge response process. The algorithms and the level of Answer Logic are factors in evaluating answers.
Validations
Validations are used to validate the answers given by a user at the time of registration.
KBA is used during online authentication of the user, which is automated, or a CSR challenge where the CSR interacts with the user to authenticate him before providing CSR services.
The KBA solution consists of securing an application using a challenge/response process where users are challenged with one or more questions to proceed with their requested sign-on, transaction, service, and so on.
The challenge/response process is controlled by a combination of properties and rules.
Question presented at random or round robin
Presentation logic (random versus round robin) is configurable through properties. If the deployment supports Oracle Identity Manager integration, the presentation is round robin. The user is expected to answer all the registered questions online.
The number of attempts a user is allowed for each question is set by a property.
The total number of KBA challenge failures a user is allowed before he is locked out by Oracle Adaptive Access Manager is configured in a rule condition.
During registration, which could be enrollment, opening a new account, or another events such as a reset, the user is asked to select questions and provide answers. The order of questions that are presented to a user during the registration phase is random using configurable parameters.
Later on, the challenge questions selected at registration or during a reset may be used for challenge during high risk log ins, to access transactions, or sensitive information, or both, and so on. Oracle Adaptive Access Manager's Rules Engine and business rules are responsible for determining if it is appropriate to use challenge questions to authenticate the user.
During registration, users are presented with several question menus. For example, he may be presented with three question menus. A user must select one question from each menu and enter answers for them during registration. Only one question from each question menu can be registered. These questions become the user's "registered questions."
When rules in OAAM Admin trigger challenge questions, OAAM Server displays the challenge questions and accepts the answers in a secure way for users. The questions can be presented in the QuestionPad, TextPad, and other pads, where the challenge question is embedded into the image of the authenticator, or simple HTML. These are configured through properties.
The out-of-the-box categories that questions can be grouped into are listed. The customer can configure questions from these categories.
Childhood
Sports
Your Birth
Parents, Grandparents, Siblings
Automobile
Education
Children
Your Employment
Significant Other
Pets
Miscellaneous
KBA offers a large pool of questions, which is the framework for obtaining answers from the user during registration or reset.
The Question Set is a fixed set of questions that is allotted to the user. This set is allotted at random and once for the user unless it is reset.
It is generated based on the settings configured in the Registration Logic.
This Question Set prevents any single user from having access to all the challenge questions. This is to prevent a fraudster from harvesting questions for use in a phishing exercise.
A user can receive a new Question Set if a customer service representative resets it for the user.
Registration Logic manages the registration of challenge questions and answers.
During KBA registration each user is presented with a Question Set, a subset of the challenge questions library.
The Question Set is generally broken up into several drop-downs that have questions to select. The drop-down with questions is called a "menu."
The number of questions that appear on each menu, the number of categories per menu, and the number of questions that a user must register is configurable.
Out-of-the-box, questions are grouped into categories.
The challenge questions in the questions menus do not change unless the question set is changed.
The user is required to select one question from each menu and enter answers for them. Only one question from each question menu can be registered.
Validations are applied to the answers provided by the user during registration.
For example, if the question, "What year did you start junior high school," is assigned the Month-Day-Year (MMDDYY) validation, a user registering for this question is not allowed to provide "April 1st 1920" for the answer.
To configure the Registration Logic, you specify the settings for:
The question set generation
The number of questions to be registered
The number of questions per menu
The number of categories per menu
The Question Set is generated based on the Registration Logic.
The validations that will be applied to the answers
For information on setting Registration Logic, see Section 6.8, "Configuring the Registration Logic."
How do the KBA Registration Logic settings affect a customer's question set?
Example configurations are presented in the following table.
| Example | Question/Menu | Categories/Menu | Questions/Category in a Menu |
|---|---|---|---|
| 1 | 7 | 4 | 2+2+2+1 |
| 2 | 10 | 4 | 3+3+2+2 |
| 3 | 10 | 1 | 10 |
Example #1, shown on line 1, results in registration menus containing 2 questions from category A and 2 questions from category B and 2 questions from category C and 1 question from category D.
This continues in a round robin fashion as needed. If there are any categories with an insufficient number of questions or an insufficient number of categories duplicate questions can result.
The following is an example of a configuration to avoid:
Number of questions user will register: 3
The number of questions that a user must register. The new user registration should display the same number of question menus as the number of questions that a user must register.
Number of questions per menu: 5
The number of questions that appear on each menu. The new user registration should display the same number of questions in each menu as the number of categories for each menu. The total number of questions from all the menus (number of questions multiplied by the questions in each menu) cannot exceed the total number of questions available in the database.
Number of categories per menu: 5
The number of categories per menu. The new user registration should display the same number of categories for each menu as the number of questions in each menu.
Fifteen or more categories are required, each with at least one question enabled. But if there are fewer than 15 categories and one of these categories has only one question enabled, some Question Sets will have that question twice.
The algorithm tries to use as many available categories as possible.
For example to generate a Question Set with:
3 menus
5 questions per menu
5 categories per menu
The algorithm tries to pick one question each from 15 categories if 15 categories are available.
The minimum number of questions per category should be equal to the number of questions in the Question Set divided by the total number of categories.
Pre-requisite for Configuring Registration Logic for Locales
The deployment administrator must ensure that there are enough questions in the database for each of the supported locale as configured in OAAM Admin during deployment; otherwise, OAAM Server displays only the English language questions during registration.
The number of locale-specific questions must be equal to or greater than the "Questions User Will Register" multiplied by the "Questions per Menu" multiplied by the "Categories per Menu."
Answer Logic checks to see if the answer provided by the user matches closely to the ones provided during registration.
Answer Logic is made up of advanced matching algorithms used by the system to intelligently detect the correct answers in the challenge response process. The algorithms and the level of Answer Logic are factors in evaluating answers.
Errors can be caused by simple input errors such as fat fingering, extra characters, misspellings, and so on.
Common misspellings and abbreviations for example can be accepted if the basic information of the answer is correct.
The following algorithms are available and can be configured for your requirements:
Phonetics
Missing character(s)
Extra character(s)
Common misspellings
Common abbreviations
Common acronyms
Keyboard fat fingering
Common nicknames
Regional spelling differences
Date Format
The Answer Logic algorithms can be enabled or disabled and the intensity or strength of some algorithms (the level of Answer Logic used to evaluate answers given for challenge questions) can also be configured.
For example, high risk transactions such as wire transfers may require a high degree of certainty (i.e. exact match) whereas accessing personal, non-sensitive information may require a lower degree of response certainty.
Answer Logic algorithms are available for both the online challenge and CSR phone challenge processes.
Online settings are applied for answers the user provided online using OAAM Server. Phone challenge settings are applied for answers provided by users over the phone and entered by the CSR.
The online challenge and CSR phone challenge Answer Logic are completely independent of each other. They can be configured separately.
For example, you can set the online challenge logic strength to high and the CSR phone challenge logic strength to low. For the CSR phone challenge logic strength, you may have provided more margin for error, because CSRs are listening to the answers over the phone and entering the answers.
Validations are used to validate the answers given by a user at the time of registration. Validations can be at the local level, to associated with each individual question, or at the global level, to be applied to all the questions presented to the user.
There are no automated validations to ensure that question specific validations and global validations do not conflict. Administrators must take care not to configure the same validations for local and global. For example, validation for a question should not be set to numeric only if the alpha only is set as a global validation.
Question Registration Validation (Local)
Each question can be assigned unique validations to control the answers a user is allowed to register. For example, if the business team wants to force users to answer a particular question using a specific date format.
The scope of validations applied to an individual question is local. Local validations are specified during the creation of a question.
Global Registration Validation (Global)
Global validations control the answers a user is allowed to register for all questions.
Global validations influence all answer registration. For example, if the "Four-digit year (YYYY)" validation is applied globally then only numeral answers are accepted during KBA registration. This would be a problem if there are questions available to users that would normally have alphanumeric answers.
Global validations are specified during the configuration of Registration Logic.
The scope of validations can be applied to individual questions or a combination of questions.
Failure counters are used to lock out fraudsters so that they are unable to obtain the answers/questions.
KBA uses two failure counters. They are:
the Online Counter
the Phone Counter
The maximum number for online challenges and phone challenges are configurable. The phone counter maximum is "per question."
For the following example, assume:
Max online = 3
Max phone (per question) = 3
If the user is answering challenge questions online, and if the user is given three attempts to provide a correct answer, a total of three attempts is allowed. Each failure increments the Online Counter. The user is locked out of the session after three attempts. The online only challenge is designed to limit the exposure of questions to fraudsters.
If the user is answering challenge questions over the phone, and if the user is given three attempts at answering each question, a total of nine attempts is allowed. Each failure increments the Phone Counter. The user is locked out of the session after nine attempts.
A success for an online or a phone challenge automatically resets all counters to zero. For the next challenge, the next question is displayed.
Authenticator uses questions as additional credentials to help prevent fraud. A customer service representative (CSR) can reset these questions for the user when necessary.
The CSR can reset KBA-related items for a user, as described.
The CSR resets a user's challenge questions. The system deletes the existing questions and answers and generates a new question set for the user to register from. Registration of challenge questions is required at the next log in to the Web site.
The CSR resets the user's challenge question set (challenge questions and the set of questions to register from). Registration of challenge questions is required at the next log in to the Web site.
The CSR resets the user's next question so the system advances the user to the next challenge question in the list of registered questions. So if the user is currently being asked question A, question B or C is now asked. A different challenge question is presented at the next log in to the Web site.
When the CSR unlocks the user that has been locked out of the system because of failed challenge questions. Unlocking the user resets the user's failure counter.
The CSR uses the user's challenge questions for phone authentication and enters user's response. If the user answers the question correctly, the question failure counter and increment question counter are reset. The system automatically takes appropriate action depending on the status such as unlocking the user. Information about phone and online failures is provided in Section 6.1.10, "Failure Counters." High level flows for the Ask Question action is presented in Chapter 4, "Managing and Supporting Cases." The matrix in Section 6.1.10, "Failure Counters" contains detailed examples for individual flows.
This section describes the logic to handle disabled questions and categories.
Disabling Logic
The disabling logic is as follows for KBA:
If you disable the last remaining question in a category, the category is automatically disabled as well.
The number of active categories must be equal to or greater than the maximum number of categories in the question menu. An error message results when you try to disable a category and this requirement is not met.
Consequences
The following table summarizes the disable results.
| New customers | user with question in question set | users with question registered | |
|---|---|---|---|
| Disable Question | The disabled question is not used to generate new users' question sets. | At re-registration or when a user changes his preference: Disabled question are replaced with another question from the same category. | The disabled question continues to be active.
If the user is re-registering or changing user preference, the disabled question is replaced with another question from the same category. |
| Disable Category | The disabled category is not used to generate new users' question sets. | At re-registration or when a user changes his preference: All questions in the disabled category are replaced with questions from a new category that has not been used to generate current question set. | Questions from the disabled category continue to be active.
If the user is re-registering or changing user preference, all questions in the disabled category are replaced with questions from a new category that has not been used to generate the current question set. |
Locked is the status that OAAM Admin sets if the user fails the question challenge. The "Locked" status is only used if the KBA or OTP Anywhere is in use.
A user is locked out of the session after the failure counter reaches the maximum number of failures.
After the user is locked out, a Customer Service Representative must reset the status to Unlocked before the account can be used to enter the system.
This section outlines the steps to manage the library, registration and answer processing of the challenge questions.
The challenge questions must be loaded into Oracle Adaptive Access Manager before the users can be asked to register.
For information on loading challenge questions, see Section 2.5, "Importing Challenge Questions."
To set up KBA:
Create Category
If the out-of-the-box categories do not meet your needs, create categories that can hold relevant questions you plan to create.
For information, see Section 6.7.2, "Creating a New Category."
Create Questions
Create questions that can be applicable to the users accessing your application.
For information, see Section 6.5.3, "Creating a New Question" and Section 6.14.2, "Guidelines for Designing Challenge Questions."
Apply Validations
Apply validations to the questions.
For information, see Section 6.6.2, "Adding a New Validation."
To set up challenge:
Set up the Registration Logic - Validations are used to validate the answers given by a user at the time of registration.
For information, see Section 6.8, "Configuring the Registration Logic."
Set up the Answer Logic - The Answer Logic settings can be configured for the exactness required for challenge question answers and for answering threshold/tolerance, such as the level of fat fingering, typos, abbreviations, and so on.
For information, see Section 6.9, "Configuring the Answer Logic."
The following diagram illustrates the user experience with the KBA framework implemented.
Use Case: New User Registration
This section illustrates an example of the new user registration experience.
The use case: You are Helen, a new Acme Corp customer. You have heard the horror stories about online identity theft and it has kept you from utilizing the online service Acme offers. This month however Acme did a customer education campaign showing the many ways customers are protected while online. You feel much better and your trust in the Acme brand has been bolstered. Today you are logging in for the first time.
Directions: Complete the registration flow to log in for the first time.
Open the OAAM Server page.
On the first sign in page, enter <user name> in the Username field and press Continue.
On the second sign in page, enter <password> into the secure TextPad and click Enter.
The Your New Security Profile page is displayed with information about Security Image and Phrase and Security Questions and Answers.
Click Continue to register your security profile.
The Your Security Device page is displayed with a personalized virtual authentication device. On the page you are given options to learn more about your device, obtain a new image and phrase, and upgrade to a higher security device.
If you want, you can select a new image and phrase by clicking the image and phrase link or select a new device by clicking the Upgrade link.
Click the image and phrase link until you find a device you want.
If you clicked Upgrade and decided against the upgrade, you can revert to the default security device by clicking the Revert link.
Click Continue to accept the security device, image and phrase.
The Security Questions set up page is displayed.
Select a question from the pull-down menu, and then answer the question in the TextPad, and click Enter.
Repeat Step 7 until you have completed selecting the questions and entering the answers.
A welcome screen appears with a message that you are successfully logged in.
Use Case: User Login
This section illustrates an example of the user login experience.
Use case: It has been a week since you completed the registration process on your laptop at work. Today you are on a business trip to another state and you are logging in on your laptop from using free Wi-Fi at a local coffee shop.
Directions: Try to log in to OAAM server using a different IP (this should be a public IP and should belong to a different state).
Log in on your laptop using free Wi-Fi at a coffee shop in another state.
On the first sign in page, enter <user name> in the Username field and press Continue.
On the second sign in page, enter <password> into the secure TextPad and click Enter.
A page appears asking you to answer a security question. The question appears in QuestionPad.
You are asked a challenge question because the public IP group and uncommon state rules are triggered.
The public IP group rule contains the "Location: in IP group" condition and the uncommon state rule contains the "User: state first time for user" condition.
Enter the answer to the security question in QuestionPad and press Enter.
If you answer the question successfully, you are logged in.
This section provides a summary of the steps you must take to set up your system to use challenge questions.
For information on performing a phased rollout KBA and enabling challenge questions, see Chapter 7, "Enabling Challenge Questions."
| Task | [ ] |
|---|---|
| Ensure that base policies are installed | [ ] |
| Link the appropriate policies to the user group that you want KBA to be enabled for. | [ ] |
| Ensure that KBA properties are set | [ ] |
| Upload the challenge questions using OAAM Admin | [ ] |
| Import and enable policies for your security and business needs | [ ] |
| Change the rules within the registration and challenge policies with appropriate actions | [ ] |
If you are using pre-packaged policies, ensure that the base policies are installed. If you are not using pre-packaged policies, use this chapter as a guideline for enabling challenge questions.
Oracle Adaptive Access Manager is shipped with default policies packaged into two ZIP files.
The default policies are available in oaam_init in the MW_HOME/IDM_ORACLE_HOME/oaam/init directory.
If you want to use these policies, import them into your system by following the instructions in Section 9.16.2, "Importing a Policy."
Ensure that the bharosa.kba.active property is set to true. See Chapter 22, "Using the Properties Editor" for information on modifying properties.
The challenge questions must be loaded in Oracle Adaptive Access Manager before the users can be asked to register.
For information on importing challenge questions, see Section 2.5, "Importing Challenge Questions."
Import KBA security policies that pertain to your business and security needs and link them to a user group to which you want KBA to be enabled.
For information on importing policies, see Chapter 9, "Managing Policies, Rules, and Conditions."
Change the rules within the policies for your needs.
This section describes how to navigate to KBA administration tasks in OAAM Admin.
You can navigate to KBA tasks through the Navigation tree. The KBA Infrastructure provides you with access to all questions, validations, categories, registration and Answer Logic, and other elements.
These are the subnodes under KBA, which provide access to the configurations in the KBA infrastructure:
Questions: For managing the tasks that impact challenge questions, such as creating new questions; activating, disabling, and editing questions; and importing questions that belong to a category not currently in the system.
Double-click Questions to open the Questions Search page.
Validations: For managing the validation for the answers given by a user at the time of registration, such as creating validations based on the available validation schemes in the system, editing existing validations, and importing and exporting validations.
Double-click Validations to open the Validations Search and Edit page.
Categories: For managing the question categories in the system.
Double-click Categories to open the Categories Search page.
Registration Logic: For managing the level of logic algorithm used for the registration for challenge questions and answers.
Double-click Registration Logic to open the Registration Logic configuration page.
Answer Logic: For managing the level of logic algorithm used for answer validation.
Double-click Answer Logic to open the Answer Logic configuration page.
For alternative methods to open search pages, refer to Section 3.9, "Access to Search, Create, and Import." Validation Search and Edit, Registration Logic and Answer Logic pages can be opened in the same manner as the search pages.
Note that you cannot open the KBA node.
The KBA functionality enables you to manage challenge questions.
You can perform the following task for challenge questions:
Use the Questions Search page to view a list of all challenge questions and search for a question based on various criteria. The Questions Search page provides access to the Questions Details page for any question.
When the Questions Search page first appears, the Search Results table is displayed with default filter values.
To search for a question:
Navigate to the Questions Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
An example Questions Search page is shown in Figure 6-2.
The Questions Search page displays a Search section and a Search Results table that shows a summary of the questions that match your search criteria.
Specify criteria in the Search Filter to locate the questions and click Search.
The search filter criteria are described in Table 6-1.
If you want to reset the search parameters to the default setting, use the Reset button.
Table 6-1 Question Search Criteria
| Field | Description |
|---|---|
|
Question ID |
The ID for the question. |
|
Question Keyword |
The keyword in the question. |
|
Status |
The status of the question: Active or disabled. |
|
Category |
The category to which the question belong. For example: education, pets, sports and so on. |
|
Locale |
The language the question is in. For example, English, Finnish, Czech, and so on. |
|
Validations |
Global validations. For example: Four-digit year (YYYY), Month Day (MMDD), and so on |
|
Answer Logic Hints |
A hint added to questions individually to affect the Answer Logic used to evaluate given answers. For example: Date Answer Hint. |
|
Create Time |
A timeframe within which the question was created |
|
Update Time |
A timeframe within which the question was modified. |
The Search Results table displays a summary of questions that match the criteria specified.
By default, questions are sorted on Question Name, but you can sort questions on Update Time, Create Time, Status, Question, and Category.
In the Search Results table, click the question link to view more details. The Question Details page appears.
Table 6-2, "Question Action menu commands" lists the commands that are available through the Action menu. You can select one or more questions and perform actions on those questions.
Table 6-2 Question Action menu commands
| Command | Description |
|---|---|
|
New Question |
Creates a new question. By default, the question is enabled on create. You can create a question for any locale. |
|
Create Like |
Creates a new case that is similar— or "like"—an existing question. |
|
Edit Selected |
Enables you to edit the selected question. |
|
Edit Category |
Opens the category of the selected question. |
|
Delete Selected |
Deletes questions |
|
Activate Selected |
Activates questions |
|
Deactivate Selected |
Deactivates questions |
|
Import Questions |
Imports questions |
|
Export Selected |
Exports questions as .XML files |
Except for creating a question, edit selected, and edit category, all other operations are bulk operations.
The Question Details page provides information such as:
Question Sets with Question
Users Registered for Question
Percentage of Users Registered For Question
Percentage of Successful Challenges
Percentage of Unsuccessful Challenges
Question ID
Last Updated Date
To view question statistics:
Navigate to the Questions Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
From the Questions Search page, click the question of interest in the Search Results table
The Question Detail page appears with the statistics.
To create a new question
In the Navigation tree, double-click Questions under KBA. The Questions Search page is displayed.
From the Questions Search page, click the New Questions button.
The New Questions page appears where you can enter details to create a new question.
Alternative methods to open create pages are listed in Section 3.9, "Access to Search, Create, and Import."
When the New Question page first appears, the default value for the question status is Active.
Question, Category, Status, and Locale are required fields.
Type the new question in the Question field.
The question names must be unique across categories.
From the Category list, select the category of question you want.
By default, there is no data in the Category list. You must import the challenge questions ZIP files (oaam_kba_questions_<locale>.zip) for data to appear in the Category menu. You can also create a new category.
In the Locale list, select the language you want.
By default, the Locale menu displays English and 26 other default locale languages.
Each question can be assigned unique validations to control the answers a user is allowed to register. To assign a local validation, select the validation type from the Registration Validation list.
The local validations you select in this step control the answers a user is allowed to register for this particular question.
It does not control the registration of answers for all questions.
For information on the difference between global and local validations, refer to Section 6.1.9, "Validations."
In the Answer Logic Hints list, select the type of Answer Logic Hint you want.
A hint can be added to questions individually to affect the Answer Logic used to evaluate given answers. This is performed to better tune the logic for the type of question. This is especially important for date related questions.
These hints help the Answer Logic function more successfully on some questions, for example, on date related questions. If a question has the date answer hint applied then the abbreviations, phonetics and fat fingering Answer Logic runs first, and then special date format logic is applied.
Click Apply. A confirmation dialog appears telling you that the question was created successfully.
Click OK to dismiss the dialog.
The Question Detail page appears for the newly created question.
After the question has been created, you can edit details.
To create a new question that is similar to an existing question:
Navigate to the Questions Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
From the Questions Search page, select the row corresponding to the question of interest.
Click the Create Like icon.
The Create Like screen appears where you can enter details to create a new question.
The Create Like screen appears with pre-populated data from the original question. Pre-populated fields are Category, Locale, Status, Answer Logic Hints, and Registration Validations.
Question, Category, Status and Locale are required fields.
The Create Like icon is disabled if multiple rows are selected.
You can create a question for any locale.
Type the new question in the Question field.
Edit any of the other fields if you want.
Click OK.
The Question Detail page appears for the newly created question.
If you click Cancel, the Questions Search page appears.
The Question Details page enables you to activate/disable questions and edit the question, question category, locale, and registration and answer validation.
Read-only question statistics are available in the Question Statistics section.
If you edit a question, users using that question receive the updated question.
To edit a question
Navigate to the Questions Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
In the Questions Search page, search for the questions you are interested in.
Click the hyperlinked question you want to edit.
The Question Details page appears.
Make the changes you want.
You cannot edit the Question ID or last updated time.
Click Apply to save the changes or Revert to discard them.
If you click Revert, the edited details are reverted to the initial state.
To import questions:
Navigate to the Questions Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
In the Questions Search page, click Import Questions or select Import Selected from the Actions menu.
In the Import Questions screen, type the path and name of the file; or use the Browse (...) button to locate the ZIP file that contains the questions, and then select the file.
Click Open and then click Import.
If you import questions that belong to a category not currently in the system, the category is also imported. If you import a question with the same ID number as an existing question, the existing question is overwritten.
A confirmation dialog displays the status of the operation and a list of questions that were imported into the system.
Click Done.
Multiple questions can be selected and exported.
To export questions:
Navigate to the Questions Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
In the Questions Search page, search for the questions you are interested in.
Select the rows corresponding to the questions of interest.
Select the Export icon or Export from the Actions menu.
In the Export screen, click the Export button.
The selected questions are exported.
To delete a question, follow these instructions.
Navigate to the Questions Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
In the Questions Search page, search for the questions you are interested in.
Select the rows corresponding to the questions of interest and click Delete or select Delete Selected from the Actions menu.
The Delete button and Delete Selected menu item are enabled only if a question is selected.
A Confirm Delete dialog is displayed with a list of questions and question IDs.
Click Delete to delete the questions.
Deleted questions are not available for new registrations but users currently registered for these questions can continue to use them.
A confirmation dialog is displayed.
In the confirmation dialog, click OK.
An error is displayed when you try to delete a question that is in used by a registered user.
Deleted questions are not available for new registrations but the user currently registered for these questions can continue to use them.
To disable a question
Navigate to the Questions Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
In the Questions Search page, search for the question you want to disable.
Click the hyperlinked question you want to disable.
The Question Details page appears.
In the Status field, select Disable and click Apply.
The selected questions are disabled.
The following scenarios occur when a question is disabled:
The disabled question cannot be used to generate a new user's Question Set.
At re-registration or reset, the disabled question is replaced with another question from the same category for those users who had the disabled question in their question set.
The disable question remains active for users who have registered the question. If the user is re-registering or changing user preference, the disabled question is replaced with another question from the same category.
Navigate to the Questions Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
In the Questions Search page, search for the questions you are interested in.
Select the rows corresponding to the questions you want to activate.
Press the Activate button or select Activate from the Actions menu.
The selected questions are activated.
To deactivate questions:
Navigate to the Questions Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
In the Questions Search page, search for the questions you want to deactivate.
Select the rows corresponding to the questions you want to deactivate.
Press the Deactivate button or select DeActivate from the Actions menu.
The selected questions are deactivated.
The following scenarios occur when a question is deactivated:
The deactivated question is not used to generate a new question set.
At re-registration or reset, the deactivated question is replaced with another question from the same category for those users who had the deactivated question in their question set.
The deactivated question remains active for users who have registered the question. If the user is re-registering or changing user preference, the deactivated question is replaced with another question from the same category.
You can manage and define validations that are used on answers given by users at the time of registration.
This section provides instructions to set up global validations that control the answers a user is allowed to register for all questions.
For information on the difference between global and local validations, refer to Section 6.1.9, "Validations."
The Validations page enables you to perform the following functions:
Navigate to the Validations page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
An example Validations page is shown in Figure 6-3.
By default, validations are sorted on Validation Name, but you can sort validations on Updated.
Table 6-3, "Validation Action menu commands" lists the commands that are available through the Action menu. You can select one or more validations and perform actions on those questions.
You can add a new validation to the system when needed.
Validations are defined for use during challenge questions registration.
To add a validation:
Navigate to the Validations page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
From the Validations page, click the New Validation button.
The Add a New Validation page appears where you can enter details to create a new validation.
Alternatively, you can open the Add a New Validation page by:
Selecting the Add Validation button from the Search Results toolbar.
Selecting New Validation from the Actions menu in Search Results.
In the Validation Type list, select the validation scheme you want to add.
You might, for example, select the validation type, Maximum Length. This validation scheme allows the customer to create a validation for the maximum allowed length for the answer.
The parameters of the validation appears in the Validation Parameters Details area of the Validations page.
Note:
· The fields displayed on the screen depends on the validation type selected.In the Name field, enter the name you want for this instance of the validation scheme.
When you create a validation from available validation schemes in the system, you are adding an instance of validation. You can then customize that instance.
Specify validation parameter that correspond to your validation type.
For example, validation parameter can be 30 for an instance of Maximum Length validation. This validation instance restricts the user from entering an answer longer than 30 characters in length.
Table 6-4 Validation Parameters
| Validation Type | Label for Fields | Description for Validation Parameter | Example for note |
|---|---|---|---|
|
Inappropriate Language |
Enter Inappropriate Words |
Inappropriate language for answer |
Example: Sloppy, Wrong, Yucky |
|
Regex |
Enter Regex Pattern |
Real expression pattern string for the answer. For example, pattern can be "[A-Za-z0-9]+" for Alpha-numeric validation. If the answer entered by the user is not as per the configured regular expression pattern; then, the validation fails and a configured error message is displayed. |
Example: [0-9]+ |
|
Date |
Enter Date Notation |
Date/Time pattern string for the answer. For example, the pattern can be "MMddyy" for Month Day Year validation. If the date/time answer entered by the user is not as per the configured pattern, the validation fails and a configured error message is displayed. |
Example: MMDDYY |
|
Minimum Length |
Enter Minimum Length |
Minimum length (number) for the answer. If the length of the answer entered by the user is less than the configured value, the validation fails and a configured error message is displayed. |
Example: 3 |
|
Maximum Length |
Enter Maximum Length |
Maximum allowed length (number) for the answer. If length of the answer entered by the user is above the configured value, the validation fails and a configured error message is displayed. |
Example: 3 |
|
Repeated Character |
Enter Number of Repeating Characters |
Allowed number of repeated characters in the answer. If the answer entered by the user contains repeated characters more than the configured value, the validation fails and the user gets a configured error message. |
Example: 3 |
|
Repeated Answers |
Enter Number of Repeating Answers |
Allowed number of repeated answers. For example parameter value can be '1' for unique answer validation. If the answer entered by the user is repeated more than configured number of times, the validation fails and the user gets a configured error message. |
Example: 1 |
|
Character |
Enter Disallowed Characters |
Characters that are not allowed. |
Example: * |
Click Add.
OAAM Admin adds this validation instance to the list of validations in the System.
To edit an existing validation
Navigate to the Validations page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
From the Validations page, select the hyperlinked configured validation you want to edit.
In the Validation Parameter Details section, make the necessary changes. See Table 6-4, "Validation Parameters".
You can edit strings, numbers, and characters in the validation parameters field.
Click Save
OAAM Admin updates this validation instance in the system.
To export validations:
Navigate to the Validations page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
In the Validations page, search for the validations you are interested in.
Select the rows corresponding to the validations you want to export.
Select Export Selected from the Actions menu.
When the Export screen appears, select Save File, and then Save.
The file is exported and saved as a ZIP file.
To delete validations:
Navigate to the Validations page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
In the Validations page, search for the validations you want to delete.
Select the rows corresponding to the validations of interest and click Delete.
A dialog appears asking you if you want to delete the validation.
Click Delete to confirm.
A dialog appears with the message that the validation was deleted successfully.
Click OK to dismiss the dialog.
You can perform the following task for categories:
On the Categories Search page you can view a list of all categories and search for a category based on various criteria. The Categories Search page provides access to the Category Details page for any category.
When the Categories Search page first appears, the Search Results table displays results from the default search values.
To search for a category:
Navigate to the Categories Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
An example Categories Search page is shown in Figure 6-4.
The Categories Search page displays a Search section and a Search Results table that shows a summary of the categories that match your search criteria.
Specify criteria in the Search Filter to locate the specific question category and click Search.
The search filter criteria are described in Table 6-1.
If you want to reset the search parameters to the default setting, use the Reset button.
Table 6-5 Question Search Criteria
| Field | Description |
|---|---|
|
Category |
The category name. For example: education, pets, sports and so on. |
|
Status |
The status of the category. |
|
Create Time |
A timeframe within which the category was created or modified. |
|
Update Time |
A timeframe within which the category was updated |
The Search Results table displays a summary of categories that match the criteria specified.
In the Search Results table, click the hyperlinked category you interested in to view more details. The Category Details page appears.
If the out-of-the-box categories do not meet your needs, create categories that can hold relevant questions you plan to create.
To create a new category
Navigate to the Categories Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
From the Categories Search page, click the New Category button or the New icon.
Alternative methods to open create pages are listed in Section 3.9, "Access to Search, Create, and Import."
The New Category page appears where you can enter details to create a new category.
Type the new category in the Category field.
Enter a description.
Click Apply.
The Category Details page appears for the newly created category.
The Category Details page enables you to changed the status, name, and description for an existing category.
To edit a category
Navigate to the Categories Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
In the Categories Search page, search for the category you are interested in.
Click the hyperlinked category you want to edit.
The Category Details page appears.
Make the changes you want.
Category name edits do not affect the questions already registered or new registrations.
Click Apply to save the changes or Revert to discard them.
If you click Revert, the edited details revert to the initial state.
If questions that belonged to a category are moved to the new category, the user would be presented with the same questions.
To delete a category, follow these instructions.
Navigate to the Categories Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
In the Categories Search page, search for the categories you want to delete.
Select the rows corresponding to the categories you want and click Delete.
A dialog is displayed asking if you want to delete the categories.
Click Delete to confirm.
A dialog is displayed with a message that the categories were deleted successfully.
Click OK to dismiss the dialog.
You can delete a category if it is not referenced by questions. If the category is referenced by a question, an error message appears.
To activate categories:
Navigate to the Categories Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
In the Categories Search page, search for the categories you want to activate.
Select the row for each category you want to activate.
Press the Activate button.
A dialog is displayed with a message that the category was activated successfully.
Click OK to dismiss the dialog.
The deactivated category is not used to generate a new question set.
All questions in the deactivated category are replaced with questions from a new category that has not been used to generate a current question set at re-registration or the changing of user preferences for users with the question in their question set.
For users with the questions registered, the questions from the deactivated category continue to be active. If the user is re-registering or changing user preferences, all questions in the deactivated category are replaced with questions from a new category that has not been used to generate current question set.
To deactivate categories:
Navigate to the Categories Search page, as described in Section 6.4, "Accessing Configurations in KBA Administration."
In the Categories Search page, search for the categories you are interested in.
Select the row for each category you want to deactivate.
Press the Deactivate button.
A dialog is displayed with a message that the category was deactivated successfully.
Click OK to dismiss the dialog.
You can use Registration Logic to set up the configuration for:
Number of questions that appear on each menu
Number of categories per menu
Number of questions that a user must register
Restriction of characters entered for answers
Configure Registration for Questions and Answers
To configure the registration for challenge questions and answers:
In the Navigation tree, double-click Registration Logic under KBA. The Registration Logic page is displayed.
To enter or change the values for the question set generation, you can specify the following settings.
Number of questions that a customer must register
Number of questions that appear on each menu
Number of categories per menu
The categories per menu cannot be more than the number of categories available in the system.
Note:
Enter realistic numbers. For example, the number of questions that a user must register should be 3 to 7questionsClick Apply.
A confirmation dialog is displayed with the message, "Registration Logic details updated successfully."
Click OK.
Add Global Validation
To add global validations (validations you want to apply to all questions):
In the Navigation tree, double-click Registration Logic under KBA. The Registration Logic page is displayed.
Click the Add button on the results header.
The Add Global Validation screen appears.
In the Add Global Validation screen, search for the global validations you want to add.
Select the row corresponding to the validation you want to add.
You cannot select more than one validation to add at a time.
Click Add.
The selected validation is added.
Delete Global Validation
To delete global validations (validations you do not want to apply to all questions):
In the Navigation tree, double-click Registration Logic under KBA. The Registration Logic page is displayed.
Select the rows corresponding to the validations you want to delete and then click the Delete button on the results header
A screen appears asking if you want to delete the validation.
Click Delete to dismiss the dialog.
A confirmation dialog appears.
Click OK to dismiss the dialog.
Challenge questions are set up by the user during the registration process. They are used for additional authentication during high risk situations. Oracle's Answer Logic is used during the challenge response process.
Answer Logic is a unique combination of Knowledge Based Authentication with registration, answer, and fuzzy logic to enable KBA for the Identity and Access Management Suite.
The KBA Answer Logic tab includes controls for the level of each Answer Logic algorithm used for answer validation. The higher the level the less exact answers need to be for acceptance.
Answer Logic (fuzzy logic) algorithms can be configured on the Answer Logic page. The algorithms are divided into three categories: Common Abbreviations, Fat Fingering (accidentally pressing the nearest neighbor on the keyboard), and Phonetics.
Out-of-the-box Answer Logic is only functional for English. Abbreviations can be globalized but creation of locale specific text equivalency files is required. For information, refer to Section 6.11, "Customizing Abbreviations and Equivalences for Locales."
To configure Answer Logic:
In the Navigation tree, double-click Answer Logic under KBA.
You can specify different settings for Online Challenge and CSR Phone Challenge.
To change the level of Answer Logic used for keyboard fat fingering and phonetics, select Off, Low, Medium, or High: the lower the setting the higher degree of exactness required.
For information on logic levels, see Section 6.9.3, "Level of Answer Logic."
Click OK.
The Answer Logic algorithms can be enabled or disabled and the intensity or strength of some algorithms can also be configured.
The following Answer Logic algorithms are available for both the online challenge and phone challenge processes:
Abbreviations
This algorithm handles common abbreviations, common nicknames, common acronyms, and date format.
Phonetics
This algorithm handles Answers that "sound like" the registered answer, regional spelling differences, and common misspellings
Keyboard fat fingering
This algorithm handles Answers with typos due to the proximity of keys on a standard keyboard.
This section highlights the most common response errors and shows how Answer Logic algorithms are used for the system to intelligently detect the correct answers in the challenge response process.
Examples of abbreviations, phonetics, and keyboard fat fingering are also provided.
Common abbreviations, common nicknames, common acronyms, and date format are handled by this algorithm.
Common Abbreviations
This algorithm matches the words in the following pairs as equivalent. OAAM Admin has predefined list of word-pairs that cover common abbreviations, common nicknames and common acronyms.
Street - St.
Drive - Dr.
California - CA
The list can be customized by creating a new abbreviation file, custom_auth_abbreviation_config.properties. For information, refer to Section 6.10, "Customizing English Abbreviations and Equivalences."
Common Nicknames
Oracle has a predefined list of the most common nicknames that is used in the challenge response process.
Timothy - Tim
Matthew - Matt
Date Format
The questions that require date as the answer specify the format in which the user should enter the answer. The format is either YYYY or MMDD, but not both. However, from experience, users still use other formats during the challenge response process. The abbreviation logic for date format sees the following as the same:
0713
713
July 13th
July 13
July 13, 1970
Answers that "sound like" the registered answer, regional spelling differences, and common misspellings are handled by this algorithm.
The phonetics algorithm is only supported in English.
Common Misspellings
Oracle's Phonetic Answer Logic algorithm accounts for misspellings.
ph - f
Correct word: elephant - Spelling mistake: elefant
Oracle's Fat Fingering algorithm accounts for typos due to the proximity of keys on a standard keyboard and transposed letters. Answers with typos due to the proximity of keys on a standard keyboard are handled by this algorithm.
The number of fat fingering characters allowed depends on the length of the original word and the level set. The algorithm returns a percentage score associated with the characters that have an exact match. The intensity determines the minimum score required to match the answer with the registered answer.
Note:
The fat fingering algorithm is only supported in English.Common Typos
Examples of Fat Fingering
Correct word: signature - Fat finger: signatire
The level of Answer Logic, the intensity or strength of algorithms, used to evaluate answers given for challenge questions is adjustable. You can enable or disable each algorithm and you can also specify the following levels for the algorithms used:
Off – No Answer Logic is used; answers must exactly match those previously registered by the user.
Low – Less Answer Logic; answers provided by the user must be a match or near-match to the answers that were provided at the time of registration
Medium – More Answer Logic; the user is given some leeway for the answers that are provided. For example, St. might be accepted for Street.
High – Highest level of Answer Logic. The constraints are not strict for matching.
Each algorithm generates a score that represents how close the given answer is to the registered answer. OAAM Admin can be configured to accept different threshold score ranges for each algorithm individually. Separate threshold values for each algorithm (low/medium/high) are set in a properties file. The default thresholds are described as follows.
For abbreviation:
Return values: 0 or 100 (no-match OR match)
Levels: ON or OFF
Logic
If an abbreviation entry exists linking the given strings, score is 100
Else score is 0
Return values: range 0 to 100
Levels: OFF, LOW (90+), MEDIUM (75+), HIGH (60+)
Logic
If the string lengths don't match, score is 0
If a position does not have the expected character or its neighbor, score is 0
Else compute the number of positions that have the neighboring characters.
Score = (StringLength – NeighborPositionCount) * 100 /StringLength
Return values: 0, 60, 75, 90
Levels: OFF, LOW (90), MEDIUM (75), HIGH (60)
Logic
Compute primary and alternative phonetic keys for the given strings, using DoubleMetaphone algorithm
If primary keys of both strings match, score is HIGH
Else if a primary key of one of the strings and alternate key of the other string match, score is MEDIUM
Else if the alternate keys of both string match, score is LOW
Else the score is 0
Answers that contain multiple words are treated in a specific way by the Answer Logic. If the final score from a complete string match does not meet the "success" criteria, individual words in the answer are evaluated. If each individual word in an answer is accepted by any of the algorithms the whole answer is accepted.
Multiple word answers with missing/extra words must be an exact match to the registered answer. Answers must have the same number of words as the registered answer to be evaluated with Answer Logic.
For example: If the registered answer is "Mead Elementary School" and the answer given at the time of challenge is "Mesd Elem Sch":
Abbreviation: Mead–Mesd=0; Elementary-Elem=100; School-Sch=100 Fat-finger: Mead-Mesd=75; Elementary-Elem=0; School-Sch=0 Phonetics: Mead-Mesd=0; Elementary-Elem=0; School-Sch=0
Assuming that abbreviation was set to anything besides off and fat fingering was set to medium or high, since all three words would be accepted individually, the whole answer would be accepted.
Answer Logic checks if the answer provided by the user matches closely to the ones provided during registration.
Answer Logic, in part, relies on pre-configured sets of word equivalents, commonly known as abbreviations.
Although there are several thousand English abbreviations and equivalences in the English version of Oracle Adaptive Access Manager, customers can perform customizations per their business requirements.
For example, the customer might want the following to be considered a match.
| Registered Answer | Given Answer |
|---|---|
| nineteen hundred ninety nine | 1999 |
The out of the box English abbreviations and equivalences are in a file named, bharosa_auth_abbreviation_config.properties. Changes cannot be made to this file.
To customize abbreviations, a new file must be created with a new set of abbreviations. This file takes precedence over the original file and all abbreviations in the original file are ignored.
To customize abbreviations:
Create a new abbreviation file, custom_auth_abbreviation_config.properties, and save it in the IDM_ORACLE_HOME/oaam/conf directory.
If the conf folder does not exist, create one.
Add abbreviations and equivalences to custom_auth_abbreviation_config.properties.
There are two different formats to use:
Word=equivalent1 Word=equivalent2
or
Word=equivalent1,equivalent2, equivalent3
For example, in English, some equivalence for James are:
Jim=James,\Jamie,\Jimmy
With the addition of the equivalences, if a user were to enter a response as Jim, but had originally entered James, Jim would be accepted.
Another example is that St may be equivalent to Street.
Note:
Retrieval of abbreviation values is not based on the browser language; values are retrieved from the properties files.Using the Properties Editor, change the property, bharosa.authenticator.AbbreviationFileName, to point to the complete path to custom_auth_abbreviation_config.properties.
The default value for the property bharosa.authenticator.AbbreviationFileName is bharosa_auth_abbreviation_config.properties.
Create the bharosa.authenticator.AbbreviationFileName property if it does not already exist.
Restarting the system is not necessary for the change to take effect.
For information on using the Properties Editor, refer to Chapter 22, "Using the Properties Editor.".
Configure the Answer Logic by following the instructions in Section 6.9, "Configuring the Answer Logic."
If you want to revert to the original out of the box abbreviations, set bharosa.authenticator.AbbreviationFileName back to bharosa_auth_abbreviation_config.properties.
Translated files are shipped for different locales. These files are named bharosa_auth_abbreviation_config_<locale>.properties where <locale> is the locale string. For example, the Spanish version of the file is bharosa_auth_abbreviation_config_es.properties.
If you want to localize for one locale (for example, for Japanese only) you can create one file and set the value of property bharosa.authenticator.AbbreviationFileName to that file's absolute path.
If you want customize for multiple locales you need to perform the following steps:
Create the files specific to those locales with the same prefix.
For example,
/mydrive/IDM_ORACLE_HOME/oaam/conf/Abbreviations_es.properties for Spanish
/mydrive/IDM_ORACLE_HOME/oaam/conf/Abbreviations_ja.properties for Japanese
Set the property bharosa.authenticator.AbbreviationFileName to /mydrive/IDM_ORACLE_HOME/oaam/conf/Abbreviations.properties.
Note that the locale prefix is absent in the value of the property.
Oracle Adaptive Access Manager uses the locale specific suffixes to the base file name and calculates the file name for that locale at runtime. You only have to specify the base name of the file, independent of locale, as the property value, and Oracle Adaptive Access Manager calculates the locale specific value automatically at runtime based on that property value.
To set up a KBA failure counter, create a rule in a security policy. The rule must have the condition, "User: Challenge Maximum Failures Condition."
The rule verifies if the user failed to answer question challenges for a specified number of times.
Note:
A success for a challenge automatically resets the KBA failure counters to 0.For information on conditions, see Appendix B, "Conditions Reference."
This section describes example use cases for KBA.
You have been asked to develop some new challenge questions to augment the existing out-of-the-box questions. Come up with a new question. Directions: Part A: Export the existing challenge questions as a backup. Part B: Create the new question in any category you like in English.
Log in to OAAM Admin as an administrator.
In the Navigation tree, double-click Questions under KBA. The Questions Search page is displayed.
In the Questions Search page, click the column header on the Search Results table to select all the rows.
Select Export Selected from the Actions menu.
In the Export screen, select Save File and click OK.
Browse for the location to save the ZIP file and click Save.
After backing up the questions, search for the question that you are interested in.
If the question does not exist, click New Question. The New Question page is displayed.
Question, Category, Status, and Locale are required fields.
When the New Question page first appears, the default value for the question status is Active.
In the Question field, type in the question.
In the Category field, select a category.
Select English as the locale.
Select the registration validation.
Select Answer Logic hints.
Click Apply. A confirmation dialog appears telling you that the question was created successfully.
Click OK to dismiss the dialog.
The Question Details page appears with information about the question and the question statistics.
After the question has been created, you can edit details.
The security team has determined that it only wants to have challenge questions about sports and pets. Part A: You must log in to OAAM Admin and delete all the questions for all categories except Sports and Pets. Before doing this you should export all the challenge questions as a backup in case you want to revert. Part B: The security team has also decided that each user should register four questions and that each registration menu should contain questions from at least four categories. Configure this in OAAM Admin.
To configure KBA Registration Logic:
Log in to OAAM Admin as an administrator.
In the Navigation tree, double-click Questions under KBA. The Questions Search page is displayed.
Select all the questions in the Search Results table to export all the challenge questions as a backup in case she wants to revert.
Clicking the # in the column header selects all rows in the Search Results table.
Select Export Selected from the Actions menu.
In the Export screen, select Save File and click OK.
Browse for the location to save the ZIP file and click Save.
After the export, in the Search Results table of the Questions Search page, sort questions by Category.
Select questions that are not in the category of Sports and Pets, and click the Delete.
In the Navigation tree, double-click Registration Logic under KBA. The Registration Logic page is displayed.
In Categories per Menu, enter 4.
In Questions per Menu, enter 4.
In Questions User will Register, enter 4.
Click Apply.
CSRs can authenticate a user by asking challenge questions over the phone. KBA Phone Challenge can be used for any registered user.
CSR sees the user's status (i.e. Block, Locked, etc.) and the date/time of the last login attempt when a user calls.
CSR requests a question with the Ask Question action and is presented with a challenge question and a the field to enter the user's response.
The challenge question presented is not the same question the user has failed online if the user is currently locked out.
The next question in the user's registered questions is presented to the CSR.
The user has a limited number of over the phone attempts at each question. See Section 6.1.10, "Failure Counters" for details and examples.
Error messages are displayed to notify the CSR.
This process continues until the user runs out of questions and attempts or the user has answered a question correctly.
These recommendations provide guidelines for implementing KBA authentication. They provide guidance to institutions for configuring and implementing custom enrollment and challenge procedures within the guidelines of best practices.
Applying Validations
Many validations may be applied locally or globally. You must be careful not to apply any validations globally that you do not want to influence all answer registration. For example, if the "Four-digit year (YYYY)" validation is applied globally then only for numeral answers will be accepted during KBA registration. This would be a problem if there are questions available to users that would normally have alphanumeric answers.
Deleting Questions and Categories
You can create, edit, and delete questions and categories. You should take care when deleting categories and questions. Insufficient numbers of questions and categories can impact the security of the solution and cause usability issues. For example, if the Categories per menu Registration Logic is set to a number that is more than the total number of categories in the system then there may be duplicate questions listed. This can be confusing to users so it should be avoided.
Questions per Menu Setting
The Questions per menu setting should be between 4 and 7. This range provides a good mix of questions in a question set but does not expose too many questions to any single user.
Question User will Register Setting
The Questions user will register setting should be between 3 and 7. This provides enough questions to offer good security but does not over burden a user's memory. The basic industry standard for KBA is 3 registered questions.
The max and min limits are configurable through the following properties.
bharosa.config.type.kba_config.enum.regQuestionsCount.validation.minValue=3 bharosa.config.type.kba_config.enum.regQuestionsCount.validation.maxValue=7
Challenge Questions Configuration
It is recommended that you completely configure all of the challenge questions, including locale, before making the question available to users.
Challenge Question Disabling
If you disable a challenge question, users who previously had that question continue to have the question even after it is disabled. However, users that are registering for the first time or re-registering will not be presented with the disabled question.
Guidelines for designing challenge questions are listed below:
No confidential data used in question.
Answers are difficult to guess.
Answers cannot be obtained from public sources.
Questions that are applicable to general public.
Answers are memorable/personally significant.
Questions where answers can change over time are avoided.
Questions cannot pertain to religion, politics, taboo subjects, and so on.
Recommended requirements for answers are listed below:
Answers must be at least 4 characters.
No more than 2 answers can be the same during registration.
Answers cannot have more than 2 repeating characters.
Special characters are not allowed.
Answers are not case-sensitive.
Extra white spaces are removed.
Fuzzy logic implemented - degree configurable by client.
Other tips for challenge questions are:
A unique question set should be generated for each user.
The user should register 3-5 questions. i.e. 15 total questions to select from, 3 drop-down menus of 5 questions each.
There should be a maximum of 2 questions from the same category.
There should be a maximum opt-out - i.e. 3 opt-out attempts before forcing registration.
When challenged, the same question is to be presented until the user responds correctly or question is reset by customer service agent.
|
 Copyright © 2009, 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
