Knowledge-based Authentication (KBA / KBQ) as Multi-Factor Authentication Method Configuration Guide
Introduction
Use this guide to enable knowledge-based questions and answers (KBA / KBQ) as a Multi-Factor Authentication method.
Prerequisites
1. Integrate an on-premises directory with SecureAuth IdP
2. Create a Service Account for SecureAuth IdP with read privileges to access the data store, and write privileges to update knowledge-based questions and answers
If using Active Directory as the data store, see the document SecureAuth Service Account setup and configuration guide for Active Directory for information about choosing attributes and configuring the SecureAuth Service Account
If using another solution for a data store, such as SQL Server or OpenLDAP, consult SecureAuth support for further assistance
3. Select two readable and writable attributes from the data store to be used with the KBA feature
The selected attribute(s) will be used to store the question and answer information in the user profile
However, if using the Base64 setting, only the KB Questions attribute is required
Tip
Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for more information
4. Create a New Realm or access an existing realm in the SecureAuth IdP Web Admin in which KBA is used as a Multi-Factor Authentication method
5. Configure the following tabs in the Web Admin
Overview – the description of the realm and SMTP connections must be defined
Data – one or more data stores can be integrated with SecureAuth IdP
Workflow – the way in which users will access the target must be defined
Multi-Factor Methods – the KBA Multi-Factor Authentication method that will be used to access the target (if any) must be defined
Post Authentication – the target resource or post authentication action must be defined
Logs – the logs that will be enabled or disabled for this realm must be defined
SecureAuth IdP Configuration Steps
Data
 |
1. In the Profile Fields section, map theSecureAuth IdPProperty to the appropriatedata storeField for KB Questions
For example, in the sample image, KB Questions is located in the houseIdentifier data store Field
2. Change the Source from Default Provider if another directory is enabled in the Profile Connection Settings section and contains the Property
Notice
See the Data Tab Configuration guide for information on configuring Profile Connection Settings
3. Check Writable for KB Questions so that SecureAuth IdP can make changes in the data store
4. Map the KB Answers Profile Property to the appropriate data store Field – e.g. homePostalAddress – and check Writable
Notice
If Base64 is selected from theKB Format field in the Registration Methods tab (step 6 below), then step 4 is not required
Tip
Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for more information
Warning
Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes
Multi-Factor Methods
 |
5. In the Multi-Factor Configuration section, under Knowledge Based Settings, select Enabled from the KB Questions dropdown
6. Select the preferred KB Format fromthedropdown
Notice
SecureAuth recommends selecting Encryption because although encoding the KB information with the Base64 algorithm typically makes them unreadable by the naked eye, they are as easily decoded as they are encoded –security is not the intent of this option
7. Select the Number of Questions from which the end-user will be able to choose during authentication
8. Select True from the KB Conversion dropdown only if changes are being made to move from Base64 to Encrypted settings
Warning
Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes
Optional Configurations
The following optional configurations can be made for KBA realms
Customize knowledge-based questions (Overview tab)
Prompt end-users to provide missing knowledge-based answers information (Multi-Factor Methods tab)
Ensure the same license certificate is used by all servers in a multi-server environment that has the option to encrypt KBA information enabled (System Info tab)
Customize Knowledge-based Questions
Knowledge-based questions can be customized to provide end-users with a list of new ormodifiedquestions
Overview
 |
1. In the Advanced Settings section, click Content and Localization
Verbiage Editor
 |
2. In the Verbiage Editor section, scroll down to find the list of knowledge-based attributes with corresponding knowledge-based questions that can be edited
3. Edit knowledge-based questions, as necessary
Warning
Any edits made to knowledge-based questions must be made in all realms that will prompt end-users for knowledge-based answers, in order to provide a consistent end-user experience
Warning
Click Save once the configurations have been completed and before leaving the Overview page to avoid losing changes
Configure prompt for Missing KB Answers
End-users who are authenticated in the environment can be prompted to provide answers to knowledge-based questions if none on file currently exist
Multi-Factor Methods
 |
1. In the Multi-Factor Configuration section, under Multi-Factor Settings, check Missing KB Answers in the Inline Initialization field if end-users should be prompted to provide answers to knowledge-based questions if there are none on file
Warning
Click Save once the configurations have been completed and before leaving the Multi-Factor Methods page to avoid losing changes
Use same license on multiple servers
In a multi-SecureAuth IdP environment that uses encrypted KBA information, each server must use the same license certificate in order to ensure a seamless end-user experience
System Info
 |
1. In the License Info section, click Select Certificate
Select Certificate
 |
2. In the Select Certificate window, verify the selected certificate is the one that will be used on all SecureAuth IdP servers
3. If another certificate needs to be used, then select the radio button corresponding to that certificate
4. Click Select to close the window
Notice
Perform the steps in this section for all SecureAuth IdP servers in the environment
Warning
Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes