This site requires JavaScript to be enabled
External Customer KB > General > Security Questions
Security Questions
Article: KB0010591 Published: 11/30/2021 Last modified: 11/30/2021

Security questions are a form of authentication that end users can use to verify their identity when they perform self-service password resets or multi-factor authentication.

Security questions aren't a very secure factor because answers to standard security questions can be identified. We encourage you to add other methods of authentication to your login flow. See Multi-Factor Authentication for more details.

Enable available security questions

Configure the number of questions required and the types of questions users can select.

  1. In Security > Authentication Factors, go to the Security Questions tab.

  2. In the When users set up their answers field, select the number of questions users are asked to configure when they log in for the first time. You must select at least one for security questions to be enabled.

  3. In the When users reset their passwords field, select the number of questions users will be asked when they reset their password or use security questions as a second factor to log in. Select at least one but no more than the number of questions selected above. 

  4. Enable the questions that users can select when they set up their question-answer pairs. Enable at least the number of questions selected in the When users set up their answers field.

    We recommend that you enable more, so that users have a choice of questions to set up. Click Save.

The selected security questions will be available for either self-service password reset or as an authentication factor.

End Users

End users must complete the steps below to reset their passwords using Security Questions

  1. Log in to OneLogin with credentials.
  2. Answer security questions during the login process.
  3. Click on the user icon in the top-right
  4. Click on Profile.
  5. Click the Plus (+) sign next to 2-Factor Authentication.
  6. Choose Security Questions and click Continue.
  7. Click Save.

Configure a policy to enable password reset using security questions 

To create a user policy that enables users to use security questions as a form of authentication when they reset their password:

  1. Go to Security > Policies.

  2. Create a New User Policy or select an existing user policy.

  3. Go to the Account Recovery Tab and check Allow users to update their directory password.

    To enable users to unlock an account themselves by resetting their password, check Allow users to unlock their accounts.

  4. Under Select factors available, select OneLogin Security Questions.

  5. Click Save.

  6. Add users to the security policy.

Add security questions as a second authentication factor and configure a policy to enable the factor

To configure security questions as a second authentication factor:

  1. Go to Security > Authentication Factors and click the New Auth Factor button.

  2. Scroll down to Security Questions and click the Choose button.

  3. On the Add Security Questions dialog, click Save.

  4. Go to Settings > Policies.

  5. Create a New User Policy or select an existing policy.

  6. Go to the MFA tab and check OTP Auth Required.

  7. Under Available factors, select Security Questions.

    Note: You can add as many authentication factors as you like, in addition to security questions, such that security questions are only one option for users logging in when a second authentication factor is required.

  8. Under OTP required for, specify who requires a second authentication factor:


    • Administrator Only:  Only Super users and Account Owner require second authentication factor

    • Configured Users Only:  Only requires second authentication factor for end users who have already manually added and configured security questions as an authentication factor

    • All Users:  Requires second authentication factor for all users.  Users are prompted to set up security questions during authentication.

  9. Define when OTP is required (At every login, Unknown browsers).

    If you select Unknown browsers, you can set the Security cookie expiration to the number of days until a browser becomes unknown again.

  10. (Optional) Add whitelisted IP addresses. Users logging in from these addresses will not be required to provide second authentication factors.

  11. Click Save

  12. Add users to the security policy.

    All users associated with that security policy will now be prompted to answer security questions when a second authentication factor is required. For more information about adding users to a security policy, see User Policies.

Note: If end-users have not enabled security questions in their profile under the 2-Factor Authentication section, administrators will not be able to view or delete security questions for the user. Also, if an administrator runs a User Details report to look at OTP types, the count will not reflect those users until it is enabled under the 2-Factor Authentication section.

End users

Set up security questions

If you haven't set up your security questions (selecting your questions and answers), you might be prompted to do so when you try to reset your password or you try to log in when you're required to provide a second authentication factor.

If you never receive such a prompt from the login or password reset screen, you can set up your security questions by doing the following:

  1. Log in to OneLogin and go to your user Profile page.

  2. On the Profile page, select Security Factors, then click Add Factor and choose Security Questions. 



  3. Select the desired questions from the menu.

  4. Enter an answer for each.

  5. Click Save.

  6. Your registered questions will appear under Security Questions on the Profile page.

Reset password using security questions

End users must complete the steps below to reset their passwords using Security Questions

Note: Users can only reset passwords using email or a registered MFA factor that exists within their profile.

  1. Log in to OneLogin with credentials.

  2. Answer security questions during the login process.

  3. Click on the user icon in the top-right

  4. Click on Profile.

  5. Click the Plus (+) sign next to 2-Factor Authentication.

  6. Choose Security Questions and click Continue.

  7. Click Save.

Use security questions as a second authentication factor

To authenticate using security questions:

  1. Go to the login screen.

  2. Enter the answers to your security questions.

    If you have not already set up your security questions on your Profile page, you may be prompted to configure them when you log in.

  3. Click Log In.

 


Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo