Usage of secret questions
10.2.1.4.4.1. How are secret questions used in Airlock IAM?

Secret questions are used in the 10.2.1.4. Password reset self-service to verify the user identity.

MAIN USAGE

Secret questions are used in the 10.2.1.4. Password reset self-service to verify the username.

IAM supports the following features:

  • Record answers: Ask the user to initially answer questions after a successful login.
  • Check answers: Check answers to verify the username in the password reset self-service.
  • Manage answers: Manage answers in Adminapp. If enabled, the administrator/help-desk user may also check answers.

Be aware that the answers to the secret questions are usually not really confidential. It may be relatively easy for an attacker to learn about the answers for selected users (e.g. using social media platforms).

Secret questions are not a high-security feature!

Therefore:

  • Use secret questions with care and where it makes sense (e.g. combine them with a second factor in the password reset self-service)
  • Choose sensitive questions.