Security questions are a form of authentication that end users can use to verify their identity when they perform self-service password resets or multi-factor authentication by answering specific questions about their identity that only they should know, such as personal or biographical details about their friends, family, or childhood. This guide walks you through how to set up security questions as a potential security factor for your users.
Important: Security questions aren't a very secure factor because answers to standard security questions can be identified. If using security questions, we strongly encourage you to add other methods of authentication to your login flow as well.
-
In your OneLogin admin portal, create a new authentication factor and choose OneLogin Security Questions from the OneLogin category.
Note: Unlike many other authentication factors, only one instance of OneLogin Security Questions can be configured at one time. If this choice is unselectable, your OneLogin tenant already has security questions enabled.
-
If desired, customize the display name and icon for the factor, then Save.
-
Go to Security Questions in the left sidebar menu to configure additional details:
|
Number of questions
|
Select the number of security questions that users will be asked to answer when they first configure the security questions for their account, as well as the number of questions asked to later authenticate users.
In this example, users will initially answer three questions, then later be given one of these three to answer at random when attempting to reset their password or log in.
Note: The number of initial questions must be greater than or equal to the number of MFA questions. Choosing 0 for either of these fields disables security questions as an authentication factor.
|
|
Enabled questions
|
In the list provided, select or deselect any questions to allow users to choose them when configuring their security questions. You must have at at least as many questions selected as the users will be prompted to answer.
Note: Deselecting any question only affects new configurations. Users who previously configured this question will still have it enabled for their authentication unless they reconfigure their security questions.
|
Best Practice: Although not required, we recommend selecting more questions than required for your users to answer. This gives users a wider variety of choice and malicious actors a lesser opportunity to identify their chosen questions.
-
Save the new factor and assign it to your users in OneLogin.
|