Documentation

Introduction

Use this guide to configure the Challenge Question function for Help Desk Authentication. The Challenge Question lets a Help Desk staff member verify an end-user's identity by asking a question only that user can answer. This feature of Multi-Factor Authentication helps secure the enterprise against Social Engineering Attacks in which an intruder masquerades as an employee asking for help.

The Challenge Question must be entered on the User Self-services Account Update Page, and can be reviewed from the Help Desk Account Management Page.

Prerequisites

1. Configure the User Self-services Account Update realm in which to input the Challenge Question and Answer

The Challenge Question and Answer can only be set on the User Self-services page

2. Create a New Realm or access an existing realm in which Help Desk is used as a Multi-Factor Authentication method

3. Configure the following tabs in the Web Admin

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – one or more data stores can be integrated with SecureAuth IdP
  • Workflow – the way in which users will access the target must be defined
  • Registration Methods / Multi-Factor Methods – the Multi-Factor Authentication method that will be used to access the target (if any) must be defined
  • Post Authentication – the target resource or post authentication action must be defined
  • Logs – the logs that will be enabled or disabled for this realm must be defined

The Registration Methods tab in SecureAuth IdP Version 9.0 has been renamed Multi-Factor Methods as of Version 9.0.1

Challenge Question / User Self-services Realm Configuration Steps

Note: These steps are required in addition to the configuration steps in the User Self-services Account Update Page guide to enable the creation of a challenge question to be used in Help Desk verification for 2-Factor Authentication

Data

 

1. In the Profile Fields section, map the KB Questions property to a directory attribute

This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. houseIdentifier)

2. Map the KB Answers property to a directory attribute

This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. info)

3. Enable Writable for both KB Questions and KB Answers

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Post Authentication

 

4. In the Identity Management section, click Configure self service page

Self Service

 

5. Select Show Enabled from the HelpDesk Challenge dropdown

Click Save once the configurations have been completed and before leaving the Self Service page to avoid losing changes

End-user Configuration Steps

 

1. Log in to the User Self-services page

2. In the For Help Desk verification section, select a Challenge Question from the dropdown

3. Enter an answer to the Challenge Question

4. Click Update

The verification Question and Answer are written to the data store

Realm(s) Using Help Desk Challenge Question for Multi-Factor Authentication Configuration Steps

Note: These configuration steps must be applied to all realms using Help Desk with Challenge Question for Multi-Factor Authentication

Data



The KB Questions and KB Answers settings must be the same as the ones applied on the User Self-services realm

1. In the Profile Fields section, map the KB Questions property to a directory attribute

This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. houseIdentifier)

2. Map the KB Answers property to a directory attribute

This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. info)

3. Enable Writable for both KB Questions and KB Answers

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Registration Methods / Multi-Factor Methods

 

4. In the Registration Configuration section, under Help Desk Settings, select Enable from at least one of Help Desk options dropdowns (Help Desk 1 and / or Help Desk 2)

5. Enter the Phone number and Email address that the user can use to contact the Help Desk

6. Under Advanced Settings, check Missing KB Answers in the Inline Initialization field to enable users to create a Challenge Question and Answer during the login process (if information is missing from the directory)

Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes

Optional Help Desk Page Configuration Steps

Note: To enable administrative review of Challenge Questions, follow these configuration steps in addition to steps from the Account Management (Help Desk) Page Configuration Guide

Data

 
 

The KB Questions and KB Answers settings must be the same as the ones applied on the User Self-services realm and in the realm(s) using Help Desk with Challenge Question for Multi-Factor Authentication

1. In the Profile Fields section, map the KB Questions property to a directory attribute

This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. houseIdentifier)

2. Map the KB Answers property to a directory attribute

This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. info)

3. Enable Writable for both KB Questions and KB Answers

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Post Authentication

 

4. In the Identity Management section, click Configure help desk page

Help Desk

 

5. Select Show from the Challenge Question dropdown

Click Save once the configurations have been completed and before leaving the Help Desk page to avoid losing changes

Help Desk Administrator Page

 

The Challenge Question and Answer can be viewed (but not edited) on the Help Desk Admin Page