Security Challenge Questions
Configure security challenge questions for use in the Community Manager developer portal for scenarios such as two-factor authentication or password reset.
Table of Contents
About security challenge questions
Security challenge questions allow users to set up answers to questions, that only they will know, to act as a backup layer for authentication purposes.
Normal authentication to the Akana API Platform is by username/password, unless two-factor authentication (2FA) is in place. However, security challenge questions/answers allow the user to set up information by which he/she can authenticate without a password in certain scenarios, such as if the user forgot the password.
Ideally, the answers to the questions should be pieces of information that are not easily findable in the public domain. For example, questions such as "What is your mother's maiden name?" or "what is the name of your dog" might be easy for a malicious hacker to find the answers to, on the internet or on social media. Questions that prompt for information less easily discoverable, such as the person's favorite childhood vacation spot or their childhood best friend's dog, are more secure.
When you're setting up security challenge questions, bear in mind usability as well as security. If you make the questions too difficult, users might forget their own answers, or might write down the answers. If you make them too easy, a hacker could find out the answer from the internet or social media. It's a balance.
Note: In the Community Manager developer portal, the security challenge feature doesn't allow users to give the same answer twice. This is a precaution against users being lazy and using a default value, which is less secure, rather than setting up authentic answers to the questions.
Adding Constraints
Adding constraints to security challenge questions, such as minimum number of letters, numbers, or uppercase characters, increases the security of the question/answer security challenge scenario. However, don't forget usability. For example:
- If the question asks for pet's name, the answer is not likely to contain numbers. If the question asks for city of birth, the answer should allow spaces since many city names have more than one word. Make sure that the questions and the constraints work together sensibly.
- Some last names include special characters such as an apostrophe, so setting a constraint that doesn't allow special characters in a last name field might stop the user from setting the true value, thus making it more difficult later on for the user to retrieve account access using the challenge questions/answers.
Note: The number of questions you set up on this page does not control the number of security questions presented to the user. It only affects the selection. The number of security questions required is in Business Security Settings; Challenge Count. See How do I configure settings for business security?
How do I configure settings for security challenge questions?
The platform comes with defaults for security challenge questions. However, you can add new questions and you can delete existing questions.
You can change the constraints for an existing question, such as how many characters are required or allowed, but you can't change the question itself.
When you delete a security challenge question, it remains in the database but is no longer available for selection by users. However, if a user has already set up an answer to a question that is later deleted, and the user then needs to use the question (for example, if the user forgot his/her password), the question and answer are still available for use.
To add a security challenge question
- Log in as a Site Admin and go to the Admin section.
- Go to More > Admin > Challenges.
- Click Add Security Question.
- On the Add Security Question page, specify the question code, the question, and any constraints you want to put in place for the answer. For information on the fields, see Security Challenge Questions: Settings below.
- When done, click Save.
If needed, you can use the Reset button at any point before saving, to remove changes you just made.
The question is immediately added to the list, and is available for users to choose from.
Note: For tips and general information about choosing security challenge questions, see About security challenge questions above.
To update a security challenge question
- Log in as a Site Admin and go to the Admin section.
- Go to More > Admin > Challenges.
- On the list of security questions, find the question you want to update.
- To the right of the question, click Edit (pencil icon).
- On the Edit Security Question page, change values for the question, as needed. You can change any values except the question code and the question itself. For information on the fields, see Security Challenge Questions: Settings below.
- When done, click Save.
To delete (inactivate) a security challenge question
Note: When you delete a security challenge question, it is no longer available for users to select from the list of questions and to set up an answer for. However, if any users have already chosen this question and set up an answer, they will still be able to use this question. For example, let's say User A chooses question A and provides an answer, and then you remove question A from the list. If User A chooses Forgot Password or any other activity that requires answering a security challenge question, the same question will be presented, and the user's answer can be validated against the stored answer.
- Log in as a Site Admin and go to the Admin section.
- Go to More > Admin > Challenges.
- On the list of security questions, find the question you want to delete (inactivate).
- To the right of the question, click Delete (X icon).
- At the confirmation message, click OK. The question is removed from the list.
Security Challenge Questions: Settings
Information about the field values is given below.
Setting | Explanation / possible values |
---|---|
Question Code | A unique code to identify the question in the database. Example: com.soa.challenge.question.color. You can use any code as long as it's not already in use. Once you've created the question, you can't change the code. If you choose a code that's in use, you'll see a warning message. |
Question | Choose a simple and clear question. Ideally, it should be something that users will be able to remember but that is not common knowledge about the user. Once you've created the question, you can't change it. For tips and general information about choosing security challenge questions, see About security challenge questions above. |
Minimum Length | The minimum number of characters required in the response to this question. |
Maximum Length | The maximum number of characters allowed in the response to this question. |
Minimum Letter Count | The minimum number of letters required in the response to this question. |
Maximum Letter Count | The maximum number of letters allowed in the response to this question. |
Minimum Number Count | The minimum number of whole numbers required in the response to this question. |
Maximum Number Count | The maximum number of whole numbers allowed in the response to this question. |
Minimum Uppercase Letters | The minimum number of uppercase letters required in the response to this question. |
Special Characters Allowed | The special characters allowed in the response to this question. If a value is provided for the Minimum Special Characters field, at least one allowed special character must be defined. |
Minimum Special Characters | The minimum number of special characters required in the response to this question. If no value is specified, all characters are allowed. |
Can Answer Contain Spaces? | Indicates whether the response to this question can include spaces. |
Is Answer Case-Sensitive? | Indicates whether the response to this question is case-sensitive. |
Enabled? | Indicates whether this question is included on the list of choices when a user is setting up answers to security challenge questions. Default: Enabled. Clearing the check box marks the question as inactive so that it isn't included on the list of choices for users. |