Challenge Question Configuration Guide
Introduction
Use this guide to configure the Challenge Question function for Help Desk Authentication. The Challenge Question lets a Help Desk staff member verify an end-user's identity by asking a question only that user can answer. This feature of Multi-Factor Authentication helps secure the enterprise against Social Engineering Attacks in which an intruder masquerades as an employee asking for help.
The Challenge Question must be entered on the Self-service Account Update page configuration, and can be reviewed from the Account Management page configuration.
Prerequisites
1. Configure the User Self-services Account Update realm in which to input the Challenge Question and Answer
Note
The Challenge Question and Answer can only be set on the User Self-services page
2. Create a New Realm or access an existing realm in which Help Desk is used as a Multi-Factor Authentication method
3. Configure the following tabs in the Web Admin
Overview – the description of the realm and SMTP connections must be defined
Data – one or more data stores can be integrated with SecureAuth IdP
Workflow – the way in which users will access the target must be defined
Multi-Factor Methods – the Multi-Factor Authentication method that will be used to access the target (if any) must be defined
Post Authentication – the target resource or post authentication action must be defined
Logs – the logs that will be enabled or disabled for this realm must be defined
Challenge Question / User Self-services Realm Configuration Steps
Notice
Note: These steps are required in addition to the configuration steps in the User Self-services Account Update Page guide to enable the creation of a challenge question to be used in Help Desk verification for 2-Factor Authentication
Data
 |
1. In the Profile Fields section, map the KB Questions property to a directory attribute
This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. houseIdentifier)
2. Map the KB Answers property to a directory attribute
This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. info)
3. Enable Writable for both KB Questions and KB Answers
Tip
Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for more information
Warning
Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes
Post Authentication
 |
4. In the Identity Management section, click Configure self service page
Self Service
 |
5. Select Show Enabled from the HelpDesk Challenge dropdown
Warning
Click Save once the configurations have been completed and before leaving the Self Service page to avoid losing changes
End-user Configuration Steps
 |
1. Log in to the User Self-services page
2. In the For Help Desk verification section, select a Challenge Question from the dropdown
3. Enter an answer to the Challenge Question
4. Click Update
Notice
The verification Question and Answer are written to the data store
Realm(s) Using Help Desk Challenge Question for Multi-Factor Authentication Configuration Steps
Notice
Note: These configuration steps must be applied to all realms using Help Desk with Challenge Question for Multi-Factor Authentication
Data
|
Notice
The KB Questions and KB Answers settings must be the same as the ones applied on the User Self-services realm
1. In the Profile Fields section, map the KB Questions property to a directory attribute
This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. houseIdentifier)
2. Map the KB Answers property to a directory attribute
This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. info)
3. Enable Writable for both KB Questions and KB Answers
Tip
Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for more information
Warning
Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes
Multi-Factor Methods
 |
4. In the Multi-Factor Configuration section, under Help Desk Settings, select Enable from at least one of Help Desk options dropdowns (Help Desk 1 and / or Help Desk 2)
5. Enter the Phone number and Email address that the user can use to contact the Help Desk
6. Under Multi-Factor Settings, check Missing KB Answers in the Inline Initialization field to enable users to create a Challenge Question and Answer during the login process (if information is missing from the directory)
Warning
Click Save once the configurations have been completed and before leaving the Multi-Factor Methods page to avoid losing changes
Optional Help Desk Page Configuration Steps
Notice
Note: To enable administrative review of Challenge Questions, follow these configuration steps in addition to steps from the Account Management page configuration
Data
|
Notice
The KB Questions and KB Answers settings must be the same as the ones applied on the User Self-services realm and in the realm(s) using Help Desk with Challenge Question for Multi-Factor Authentication
1. In the Profile Fields section, map the KB Questions property to a directory attribute
This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. houseIdentifier)
2. Map the KB Answers property to a directory attribute
This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. info)
3. Enable Writable for both KB Questions and KB Answers
Tip
Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for more information
Warning
Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes
Post Authentication
 |
4. In the Identity Management section, click Configure help desk page
Help Desk
 |
5. Select Show from the Challenge Question dropdown
Warning
Click Save once the configurations have been completed and before leaving the Help Desk page to avoid losing changes
Help Desk Administrator Page
 |
The Challenge Question and Answer can be viewed (but not edited) on the Help Desk Admin Page