General information on secret questions

The following table summarizes other conceptual information:



Activate Secret Questions

The secret questions feature needs to be activated individually for each user.

This can be done on the user's detail page in the Adminapp.

To enable secret questions for all new users by default, see the configuration section.

Blocked Answers

For security reasons, the user (or attacker) only has a limited number of attempts for answering each question. If this amount is exceeded, the answer is blocked.

The administrator/help-desk employee may unblock the answer.

Number of Valid Answers 

The term valid answer refers to an answer to a secret question that is:

  • An answer has been recorded
  • The answer is not blocked.

The system assures that each user has a minimum amount of valid answers. This number is configurable:

  • Initially, the user provides a number of answers after successful login.
  • Later, the user may have to complete the list of answers (after successful login) for one of the following reasons:
    • The required number of provisioned answers has been increased in the configuration.
    • One or more secret questions have been removed from the configuration.
    • One or more answers of the user have been blocked.

Storage of Answers

IAM does not store answers to secret questions.

It only stores a hash value of the answers (like with passwords) provided by the user. This is sufficient to verify the answers.

Check configuration normalization for available input normalization policies: it defines how strict or lax the system is when checking answers

Translations of Questions

As with all other text elements displayed in the Loginapp, the secret questions are available in different languages.

The secret questions configuration (see below) only uses text element keys (string resource key). Examples:

  • secretquestion.friend

The actual questions displayed to the user (and the administrator/help-desk employee) are in the string property files.

Note that the text elements must be made available for the Loginapp (end-user) and the Adminapp (administrator/help-desk employee).

Changing Secret Question Translations

When changing translations of existing secret questions (e.g. rephrasing), make sure the meaning of the question does not change!

Users that have already provided the answer might not recognize the question anymore if it changes substantially.

Stealth Mode

The Password reset self-service provides protection against username enumeration (stealth mode): it asks for a randomly selected set of secret questions even if

  • the user is not known.


  • the user is known but has too few valid answers.