7 Managing Knowledge-Based Authentication 7-1 7 Managing Knowledge-Based Authentication This chapter introduces you to the concepts behind knowledge-based authentication KBA, and provides information about managing tasks that impact challenge questions, validations and levels of logic algorithms used for answers, question categories, and levels of logic algorithms used for registration. Sections in this chapter are: ■ Introduction and Concepts ■ Setting Up KBA Overview ■ Setting Up the System to Use Challenge Questions ■ Accessing Configurations in KBA Administration ■ Managing Challenge Questions ■ Setting Up Validations for Answer Registration ■ Managing Categories ■ Configuring the Registration Logic ■ Adjusting Answer Logic ■ Customizing English Abbreviations and Equivalences ■ Customizing Abbreviations and Equivalences for Locales ■ Use Cases ■ KBA Guidelines and Recommended Requirements

7.1 Introduction and Concepts

This section describes knowledge based authentication KBA key concepts.

7.1.1 Knowledge Based Authentication

Oracle Adaptive Access Manager provides out-of-the-box secondary authentication in the form of knowledge based authentication KBA. KBA is a secondary authentication method, an extension to the existing authentication method. It is presented after successful primary authentication for example, a user entering a single factor credentials, such as a user name and password to improve authentication strength. KBA provides an infrastructure for ■ Users to select questions and provide answers which are used to challenge them later on 7-2 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager KBA is used to authenticate an individual based on the users answers substantiated by a real-time interactive question and answer process. ■ Levels of logic algorithm for registration Registration Logic manages the registration of challenge questions and answers. ■ Levels of logic algorithm for answers Answer Logic is made up of advanced matching algorithms fuzzy logic used by the system to intelligently detect the correct answers in the challenge response process. The algorithms and the level of Answer Logic are factors in evaluating answers. ■ Validations Validations are used to validate the answers given by a user at the time of registration. KBA is used during online authentication of the user, which is automated, or a CSR challenge where the CSR interacts with the user to authenticate him before providing CSR services.

7.1.2 Challenge Response Process

The KBA solution consists of securing an application using a challengeresponse process where users are challenged with one or more questions to proceed with their requested sign-on, transaction, service, and so on.

7.1.3 Challenge Response Configuration

The challengeresponse process is controlled by a combination of properties and rules. ■ Question presented at random or round robin Presentation logic random versus round robin is configurable through properties. If the deployment supports Oracle Identity Manager integration, the presentation is round robin. The user is expected to answer all the registered questions online. ■ The number of attempts a user is allowed for each question is set by a property. ■ The total number of KBA challenge failures a user is allowed before he is locked out by Oracle Adaptive Access Manager is configured in a rule condition.

7.1.4 Registration

During registration, which could be enrollment, opening a new account, or another events such as a reset, the user is asked to select questions and provide answers. The order of questions that are presented to a user during the registration phase is random using configurable parameters. Later on, the challenge questions selected at registration or during a reset may be used for challenge during high risk log ins, to access transactions, or sensitive information, or both, and so on. Oracle Adaptive Access Managers Rules Engine and business rules are responsible for determining if it is appropriate to use challenge questions to authenticate the user. Managing Knowledge-Based Authentication 7-3

7.1.5 Challenge Questions

The customer can configure a set of questions that are used to authenticate users. The Questions are grouped into several categories and the user can select questions from these categories. The out-of-the-box categories that questions can be grouped into are listed. The customer can configure questions from these categories. ■ Childhood ■ Sports ■ Your Birth ■ Parents, Grandparents, Siblings ■ Automobile ■ Education ■ Children ■ Your Employment ■ Significant Other ■ Pets ■ Miscellaneous During registration, users are presented with several question menus. For example, he may be presented with three question menus. A user must select one question from each menu and enter answers for them during registration. Only one question from each question menu can be registered. These questions become the users registered questions. When rules in OAAM Admin trigger challenge questions, the application displays the challenge questions and accepts the answers in a secure way for users. The questions can be presented in the QuestionPad, TextPad, and other pads, where the challenge question is embedded into the image of the authenticator, or simple HTML. These are configured through properties.

7.1.6 Question Set

KBA offers a large pool of questions, which is the framework for obtaining answers from the user during registration or reset. The Question Set is a fixed set of questions that is allotted to the user. This set is allotted at random and once for the user unless it is reset. It is generated based on the settings configured in the Registration Logic. This Question Set prevents any single user from having access to all the challenge questions. This is to prevent a fraudster from harvesting questions for use in a phishing exercise. A user can receive a new Question Set if a customer service representative resets it for the user.

7.1.7 Registration Logic

Registration Logic manages the registration of challenge questions and answers. During KBA registration each user is presented with a Question Set, a subset of the challenge questions library. The Question Set is generally broken up into several drop-downs that have questions to select from. The drop-down with questions is called a menu. 7-4 Oracle Fusion Middleware Administrators Guide for Oracle Adaptive Access Manager Figure 7–1 Drop-Downs Menus The number of questions that appear on each menu, the number of categories per menu, and the number of questions that a user must register is configurable. Out-of-the-box, questions are grouped into categories. The challenge questions in the questions menus do not change unless the question set is changed. The user is required to select one question from each menu and enter answers for them. Only one question from each question menu can be registered. Validations are applied to the answers provided by the user during registration. For example, if the question, What year did you start junior high school, is assigned the Month-Day-Year MMDDYY validation, a user registering for this question is not allowed to provide April 1st 1920 for the answer. To configure the Registration Logic, you specify the settings for: ■ The question set generation – The number of questions to be registered – The number of questions per menu – The number of categories per menu The Question Set is generated based on the Registration Logic. ■ The validations that are applied to the answers For information on setting Registration Logic, see Section 7.8, Configuring the Registration Logic. How do the KBA Registration Logic Settings Affect a Customers Question Set? Example configurations are presented in the following table. Example 1, shown on line 1, results in registration menus containing 2 questions from category A and 2 questions from category B and 2 questions from category C and 1 Example QuestionMenu CategoriesMenu QuestionsCategory in a Menu 1 7 4 2+2+2+1 2 10 4 3+3+2+2 3 10 1 10