Secret questions are configured in the following places:
- Authentication flow
- Password reset self-service (or other public self-service)
- Adminapp (Secret Questions Token Controller in Adminapp >> Users >> Authentication Tokens (Credentials).
All pieces of configuration refer to the general Secret Question Settings.
The main configuration tasks are:
- Configure the set of questions
- Review security settings (Required Number Of Provisioned Answers, Allowed Number Of Attempts)
- Review Normalization policy
- Add or review translations for all configured questions (See Changing text elements - note that the translations must be available for both the Loginapp and the Adminapp).
To automatically activate secret questions for all newly inserted users (in Adminapp, REST API or Service or User Registration Self-Service), do the following:
- In the Config Editor, go to the User Persister plugin that is used to insert new users (this is usually: MAIN SETTINGS >> Data Sources >> User Data Sources).
- The configured User Persister plugin may provide Event Listener hooks (e.g. Database User Persister).
- If it supports event listeners, add the plugin New User Defaults Setter and configure it to enable secret questions
