FAQTroubleshooting 23-13 AnswerSolution : Add the following property to bharosa_server.properties. This property determines whether the QuestionPad is set for visible text input or password non-visible input. bharosa.authentipad.questionpad.datafield.input.type Valid values are text and password. Can OAAM Restrict the Number of Devices used by a User QuestionProblem : Is there any way to configure the limit for a user to use fewer number of devices, such as 5 or 6 and block any access from the devices which are not in the configured list for specifc user ? AnswerSolution : For usability and security reasons OAAM does not support limiting a user to a set number of devices. As well, this behavior is not required for proper security coverage since OAAM profiles the behavior of users including the devices they use. The total number of devices is not a good measure of risk as some end users may utilize many devices as part of their normal behavior. Instead OAAM keeps track of how often a user utilizes a specific device, who else has used that same device in the past and with what frequency. These evaluations can better assess the level of risk associated with an access request. KeyPad or PinPad for KBA challenges? QuestionProblem : Can I use KeyPad or PinPad for KBA challenges? AnswerSolution : KBA is designed for use with QuestionPad or plain HTML. Using KeyPad or PinPad is not recommended because KBA questions are not presented in that scenario. How can the virtual authentication devices protect users from screen capture malware? QuestionProblem : How can virtual authentication devices protect users from screen capture malware? AnswerSolution : These attacks currently require a manual process. An individual must look at the video or images captured to figure out the PIN or password. The virtual devices are primarily aimed at preventing automated attacks that affect large numbers of customers. If the Trojan did include OCR technology, finding the characters clicked on KeyPad and PinPad would be more difficult to read than other types of onscreen keyboards since Oracle Adaptive Access Manager keys are translucent so that background image can be seen and the font and key shapes can be randomized each session. Also, the jitter would complicate the task. The virtual authentication devices are a good mix of security and usability for large scale deployments that want to keep the authentication already used and layer more security on top of it. Even if there were malware developed that is capable of deciphering the password, it does not necessarily cause fraud to occur. The virtual authentication devices are only one component of the full solution. Even if a fraudster has the PIN or password, he will have to pass the real-time behavioraleventtransactional analysis and secondary authentication. Oracle Adaptive Access Manager tracks, profiles and evaluates usersdeviceslocations activity in real-time regardless of authentication. Oracle Adaptive Access Manager takes proactive action to prevent fraud when it detects high risk situations. In this way, fraud could be prevented even if the standard form of authentication passwordPIN or another form. is removed from the applications