The following table summarizes other conceptual information:
Topic | Description |
---|---|
Activate Secret Questions | The secret questions feature needs to be activated individually for each user. This can be done on the user's detail page in the Adminapp. To enable secret questions for all new users by default, see the configuration section. |
Blocked Answers | For security reasons, the user (or attacker) only has a limited number of attempts for answering each question. If this amount is exceeded, the answer is blocked. The administrator/help-desk employee may unblock the answer. |
Number of Valid Answers | The term valid answer refers to an answer to a secret question that is:
The system assures that each user has a minimum amount of valid answers. This number is configurable:
|
Storage of Answers | IAM does not store answers to secret questions. It only stores a hash value of the answers (like with passwords) provided by the user. This is sufficient to verify the answers. Check configuration normalization for available input normalization policies: it defines how strict or lax the system is when checking answers |
Translations of Questions | As with all other text elements displayed in the Loginapp, the secret questions are available in different languages. The secret questions configuration (see below) only uses text element keys (string resource key). Examples:
The actual questions displayed to the user (and the administrator/help-desk employee) are in the string property files. Note that the text elements must be made available for the Loginapp (end-user) and the Adminapp (administrator/help-desk employee). Changing Secret Question Translations When changing translations of existing secret questions (e.g. rephrasing), make sure the meaning of the question does not change! Users that have already provided the answer might not recognize the question anymore if it changes substantially. |
Stealth Mode | The Password reset self-service provides protection against username enumeration (stealth mode): it asks for a randomly selected set of secret questions even if
orÂ
|