Best Practices for Managing Questions

8 Enabling Challenge Questions 8-1 8 Enabling Challenge Questions Oracle Adaptive Access Manager uses knowledge-based authentication KBA to prompt users for information by using challenge questions. An individual must provide previously registered answers during authentication. This section provides guidelines for enabling challenge questions. Topics include ■ What is KBA? ■ Phased Approach for Registration ■ Checklist for Enabling Challenge Questions ■ Ensure Policies are Available ■ Ensuring KBA PropertiesDefault Properties are Set ■ Ensure Challenge Questions are Available ■ Enabling Policies ■ Configuring Rules for Policies ■ Configuring the Challenge Question Answer Validation ■ Configuring the Answer Logic 8.1 What is KBA? Knowledge-based authentication KBA is a form of secondary authentication where during authentication, the user is prompted by challenge questions and must provide previously registered answers. Since KBA is a secondary authentication method it should only be presented after successful primary authentication. KBA challenge is necessary in medium to high risk situations. Challenging users too often and without significant risk degrades the user experience and possibly the security. The goal is to challenge users often enough so they can successfully recall their answers but not so often that they view it as a hindrance. As well, displaying the questions excessively increases the slim possibility of exposure to fraudsters through over-the-shoulder or some other attack. In general, a challenge roughly every month for a normal user is a good rate. Suspicious users should be blocked and should not have access to the system.

8.2 Phased Approach for Registration

A phased rollout KBA is necessary to help ease the transition for the organization and the users. Spacing out the rollout allows for an important learning period and lessens the impact to customer service. 8-2 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager ■ The user is not registered and there is little change to the user experience. ■ The user can choose to register. ■ The user must register an image, a phrase, and challenge questions to be stored in a customer profile. The most successful phased approach generally includes these phases. The first two generally last between one and three months each depending on user population size and composition.

8.2.1 Phase 1 - No Registration

Phase one generally consists of Oracle Adaptive Access Manager risk evaluation. In this phase there is little change to user experience. Users continue to access through the existing methods. The only slight change to user experience is a block. Blocking is recommended in the phase for extremely high-risk situations. With blocking actions applied OAAM Admin can start to prevent fraud from day one. Since only very severe security violations are blocked normal users should not experience issues with them. Phase one can last any length of time desired by the business. Generally organizations stay in phase one for one to three months.

8.2.2 Phase 2 - Optional Registration

Phase two is the gradual introduction of the virtual devices and secondary authentication to the user population. In this phase registration is made available to the population or sub-populations of existing users on an optional basis. This opt-in allows users to register when they have time and feel comfortable. Brand new users should be given the option to register as soon as they are created. This strategy helps to distribute load on support over a period and to add convenience for users. User Experience The user is prompted to register for challenge questions after successfully authenticating at sign-on. The user can choose to bypass registration and then proceed into the session. Staggered Rollout Breaking up a rollout phase into sub-groups can further ease efforts. In large deployments staggering is advised. Phase two is generally the best time to implement staggering. The most common staggering has the following steps. ■ The user population is broken into groups. Geographic region is the most often used basis for this grouping ■ Staggered start dates are configured for each group. Enable Optional Registration To enable optional registration, link the Post-Auth Flow Phase 2 policy to the user group that you want KBA to be enabled for.

8.2.3 Phase 3 - Required Registration

Phase three closes the door on the opt-in registration process. This phase is the transition to normal registration procedure that is used going forward for all users. For this reason phase three has no end. Any existing users that have not registered yet must complete registration before they can access the protected applications.