Skip to main content

Knowledge-based Authentication (KBA / KBQ) as Multi-Factor Authentication Method Configuration Guide


Use this guide to enable knowledge-based questions and answers (KBA / KBQ) as a Multi-Factor Authentication method.


1. Integrate an on-premises directory with SecureAuth IdP

2. Create a Service Account for SecureAuth IdP with read privileges to access the data store, and write privileges to update knowledge-based questions and answers

If using Active Directory as the data store, see the document SecureAuth Service Account setup and configuration guide for Active Directory for information about choosing attributes and configuring the SecureAuth Service Account

If using another solution for a data store, such as SQL Server or OpenLDAP, consult SecureAuth support for further assistance

3. Select two readable and writable attributes from the data store to be used with the KBA feature

The selected attribute(s) will be used to store the question and answer information in the user profile

However, if using the Base64 setting, only the KB Questions attribute is required

4. Create a New Realm or access an existing realm in the SecureAuth IdP Web Admin in which KBA is used as a Multi-Factor Authentication method

5. Configure the following tabs in the Web Admin

  • Overview – the description of the realm and SMTP connections must be defined

  • Data – one or more data stores can be integrated with SecureAuth IdP

  • Workflow – the way in which users will access the target must be defined

  • Multi-Factor Methods – the KBA Multi-Factor Authentication method that will be used to access the target (if any) must be defined

  • Post Authentication – the target resource or post authentication action must be defined

  • Logs – the logs that will be enabled or disabled for this realm must be defined

SecureAuth IdP Configuration Steps



1. In the Profile Fields section, map theSecureAuth IdPProperty to the appropriatedata storeField for KB Questions

For example, in the sample image, KB Questions is located in the houseIdentifier data store Field

2. Change the Source from Default Provider if another directory is enabled in the Profile Connection Settings section and contains the Property


See the Data Tab Configuration guide for information on configuring Profile Connection Settings

3. Check Writable for KB Questions so that SecureAuth IdP can make changes in the data store

4. Map the KB Answers Profile Property to the appropriate data store Field – e.g. homePostalAddress – and check Writable


If Base64 is selected from theKB Format field in the Registration Methods tab (step 6 below), then step 4 is not required


Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Multi-Factor Methods


5. In the Multi-Factor Configuration section, under Knowledge Based Settings, select Enabled from the KB Questions dropdown

6. Select the preferred KB Format fromthedropdown


SecureAuth recommends selecting Encryption because although encoding the KB information with the Base64 algorithm typically makes them unreadable by the naked eye, they are as easily decoded as they are encoded –security is not the intent of this option

7. Select the Number of Questions from which the end-user will be able to choose during authentication

8. Select True from the KB Conversion dropdown only if changes are being made to move from Base64 to Encrypted settings


Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes

Optional Configurations

The following optional configurations can be made for KBA realms

  • Customize knowledge-based questions (Overview tab)

  • Prompt end-users to provide missing knowledge-based answers information (Multi-Factor Methods tab)

  • Ensure the same license certificate is used by all servers in a multi-server environment that has the option to encrypt KBA information enabled (System Info tab)

Customize Knowledge-based Questions

Knowledge-based questions can be customized to provide end-users with a list of new ormodifiedquestions



1. In the Advanced Settings section, click Content and Localization

Verbiage Editor

2. In the Verbiage Editor section, scroll down to find the list of knowledge-based attributes with corresponding knowledge-based questions that can be edited

3. Edit knowledge-based questions, as necessary


Any edits made to knowledge-based questions must be made in all realms that will prompt end-users for knowledge-based answers, in order to provide a consistent end-user experience


Click Save once the configurations have been completed and before leaving the Overview page to avoid losing changes

Configure prompt for Missing KB Answers

End-users who are authenticated in the environment can be prompted to provide answers to knowledge-based questions if none on file currently exist

Multi-Factor Methods


1. In the Multi-Factor Configuration section, under Multi-Factor Settings, check Missing KB Answers in the Inline Initialization field if end-users should be prompted to provide answers to knowledge-based questions if there are none on file


Click Save once the configurations have been completed and before leaving the Multi-Factor Methods page to avoid losing changes

Use same license on multiple servers

In a multi-SecureAuth IdP environment that uses encrypted KBA information, each server must use the same license certificate in order to ensure a seamless end-user experience

System Info


1. In the License Info section, click Select Certificate

Select Certificate

2. In the Select Certificate window, verify the selected certificate is the one that will be used on all SecureAuth IdP servers

3. If another certificate needs to be used, then select the radio button corresponding to that certificate

4. Click Select to close the window


Perform the steps in this section for all SecureAuth IdP servers in the environment


Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes