7-40 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager 8 Enabling Challenge Questions 8-1 8 Enabling Challenge Questions Oracle Adaptive Access Manager uses knowledge-based authentication KBA to prompt users for information by using challenge questions. An individual must provide previously registered answers during authentication. This section provides guidelines for enabling challenge questions. Topics include ■ What is KBA? ■ Phased Approach for Registration ■ Checklist for Enabling Challenge Questions ■ Ensure Policies are Available ■ Ensuring KBA PropertiesDefault Properties are Set ■ Ensure Challenge Questions are Available ■ Enabling Policies ■ Configuring Rules for Policies ■ Configuring the Challenge Question Answer Validation ■ Configuring the Answer Logic 8.1 What is KBA? Knowledge-based authentication KBA is a form of secondary authentication where during authentication, the user is prompted by challenge questions and must provide previously registered answers. Since KBA is a secondary authentication method it should only be presented after successful primary authentication. KBA challenge is necessary in medium to high risk situations. Challenging users too often and without significant risk degrades the user experience and possibly the security. The goal is to challenge users often enough so they can successfully recall their answers but not so often that they view it as a hindrance. As well, displaying the questions excessively increases the slim possibility of exposure to fraudsters through over-the-shoulder or some other attack. In general, a challenge roughly every month for a normal user is a good rate. Suspicious users should be blocked and should not have access to the system.

8.2 Phased Approach for Registration

A phased rollout KBA is necessary to help ease the transition for the organization and the users. Spacing out the rollout allows for an important learning period and lessens the impact to customer service.