Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Panel
borderColor#000000
bgColorwhite
titleColorwhite
titleBGColor#000000
borderStylesolid
titleIntroduction

Use this guide to configure the Challenge Question function for Help Desk Authentication. The Challenge Question lets a Help Desk staff member verify an end-user's identity by asking a question only that user can answer. This feature of Multi-Factor Authentication helps secure the enterprise against Social Engineering Attacks in which an intruder masquerades as an employee asking for help.

The Challenge Question must be entered on the User Self-services Account Update Page, and can be reviewed from the Help Desk Account Management Page.

Panel
borderColor#444443
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#444443
borderStylesolid
titlePrerequisites

1. Configure the User Self-services Account Update realmin which to input the Challenge Question and Answer

Info

The Challenge Question and Answer can only be set on the User Self-services page

2. Create a New Realm or access an existing realm in which Help Desk is used as a Multi-Factor Authentication method

3. Configure the following tabs in the Web Admin

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – one or more data stores can be integrated with SecureAuth IdP
  • Workflow – the way in which users will access the target must be defined
  • Registration Methods / Multi-Factor Methods – the Multi-Factor Authentication method that will be used to access the target (if any) must be defined
  • Post Authentication – the target resource or post authentication action must be defined
  • Logs – the logs that will be enabled or disabled for this realm must be defined

...

Panel
borderColor#135570
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#135570
borderStylesolid
titleChallenge Question / User Self-services Realm Configuration Steps
Info

Note: These steps are required in addition to the configuration steps in the User Self-services Account Update Page guide to enable the creation of a challenge question to be used in Help Desk verification for 2-Factor Authentication

Panel
borderColor#116490
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#116490
borderStylesolid
titleData
Section
Column
width50%

Column
width50%

 

1. In the Profile Fields section, map the KB Questions property to a directory attribute

This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. houseIdentifier)

2. Map the KB Answers property to a directory attribute

This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. info)

3. Enable Writable for both KB Questions and KB Answers

Tip

Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for more information

Warning

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Panel
borderColor#116490
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#116490
borderStylesolid
titlePost Authentication
Section
Column
width50%

Column
width50%

 

4. In the Identity Management section, click Configure self service page

Panel
borderColor#007fb2
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#007fb2
borderStylesolid
titleSelf Service
Section
Column
width50%

Column
width50%

 

5. Select Show Enabled from the HelpDesk Challenge dropdown

Warning

Click Save once the configurations have been completed and before leaving the Self Service page to avoid losing changes

...

Panel
borderColor#135570
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#135570
borderStylesolid
titleRealm(s) Using Help Desk Challenge Question for Multi-Factor Authentication Configuration Steps
Info

Note: These configuration steps must be applied to all realms using Help Desk with Challenge Question for 2Multi-Factor Authentication

Panel
borderColor#116490
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#116490
borderStylesolid
titleData
Section
Column
width50%

Column
width50%



Info

The KB Questions and KB Answers settings must be the same as the ones applied on the User Self-services realm

1. In the Profile Fields section, map the KB Questions property to a directory attribute

This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. houseIdentifier)

2. Map the KB Answers property to a directory attribute

This must be an attribute to which the SecureAuth IdP service account has read and write access (e.g. info)

3. Enable Writable for both KB Questions and KB Answers

Tip

Refer to LDAP Attributes / SecureAuth IdP Profile Properties Data Mapping for more information

Warning

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Panel
borderColor#116490
bgColorwhite
titleColorwhite
borderWidth1
titleBGColor#116490
borderStylesolid
titleRegistration Methods / Multi-Factor Methods
Section
Column
width50%

Column
width50%

 

4. In the Registration Configuration section, under Help Desk Settings, select Enable from at least one of Help Desk options dropdowns (Help Desk 1 and / or Help Desk 2)

5. Enter the Phone number and Email address that the user can use to contact the Help Desk

6. Under Advanced Settings, check Missing KB Answers in the Inline Initialization field to enable users to create a Challenge Question and Answer during the login process (if information is missing from the directory)

Warning

Click Save once the configurations have been completed and before leaving the Registration Methods page to avoid losing changes

...