Skip to main content

Two-factor authentication: Password and security questions

For this use case an authentication chain is set up to require authentication with both a valid password and valid answers to security questions.

This can be implemented by configuring a custom authentication chain:

Module

Control type

Password authentication (password.pss)

required

Security questions (response.pss)

binding

When a user logs in:

  1. The user chooses the custom authentication chain and enters a password.

  2. If the password is entered:

    • Correctly, then the user is prompted for their security questions.

    • Incorrectly, then the user is prompted for their security questions. However, even if the security questions are answered correctly, the user is redirected to the main page to select another authentication method. This is because the Control type for the password.pss module is set to required. A valid answer is required for this module in order for the chain to pass authentication, as well as correct answers for all the modules in the rest of the chain.

  3. If the answers to the security questions are:

    • Valid, then the user is immediately logged into the Front-end .

    • Invalid, then the user is redirected to the main page to select another authentication method. This is because the Control type for the response.pss module is set to binding, so the chain fails if an invalid answer is entered.

Configure two-factor authentication

In this example, the default authentication chain includes the select_chain module which presents the user with options for authentication. In this demonstration, a second module is added to the default authentication chain, so that users must pass two-factor authentication in order to proceed. The second module will prompt users to answer a security question if they have completed their security questions profile.

This example assumes that the Update security questions (PSQ) module is enabled and an end user has completed their security questions profile. In a Bravura Privilege installation, the Update security questions (PSQ) module is disabled by default, because it is a weak authentication method by itself.

Click below to view a demonstration.

Add a custom authentication chain

To configure authentication for this scenario, first add a custom authentication chain module:

  1. Log into Bravura Security Fabric as superuser .

  2. Click Manage the system > Policies > Authentication chains > Front-end login .

    The Front-end login page shows the DEFAULT_LOGIN authentication chain.

  3. Click Disable.

    You must disable a chain in order to modify it. This prevents users from interacting with the chain while you are configuring it.

    Disabling the DEFAULT_LOGIN authentication chain does not prevent users from accessing Bravura Security Fabric ; it simply defaults to using the PSFEXT VALUES specified in Modules > Front-end (PSF) options.

  4. Under Modules, select the select_chain module.

  5. Set the Control type for this module to Required.

    This means that, if authentication on this module succeeds, access is granted unless authentication fails on a module further along the chain. If authentication fails, the user proceeds to the next module, but is ultimately denied access.

  6. Click Update to close the Module configuration options.

    Now add a second module.

  7. Under Modules, click Add new…

  8. Configure the built-in security question module:

    1. From the Module drop-down list, select Security questions.

    2. Set the Control type for this module to Required.

    3. Click Update.

    Notice some extra options become available in the Module configuration section.

    lab-authchains-twofactor-options

  9. From the If a user does not have a valid security questions profile drop-down list, select Bypass this module.

  10. In the Number of questions to ask during authentication section, select 1 for From [DEFAULT_PREDEFQSET] and From [DEFAULT_USERQSET].

  11. Click Update to close the Module configuration options.

  12. Confirm that the modules are in the correct order and type; that is, the select_chain module has a 1 in the Order column, and the response.pss module has a 2 in the Order column.

    lab-authchains-twofactor-order

    For maximum security, the last module in a chain should always have a binding, required or requisite control type.

  13. Click Enable to make the DEFAULT_LOGIN authentication chain available to users.

Test the authentication process

To test the authentication chain:

  1. Log in to Bravura Security Fabric as an end-user .

    Because the the PSF EXT option is set to User-selectable via Manage the system > Modules > Front-end (PSF) , and the PSFEXT VALUES option includes both password.pss and response.pss , the user is given an initial choice to select either password or security question authentication.

  2. Click Use password.

  3. Enter the correct password.

    Because the separate select_chain and response.pss modules' Control type values are both set to required , the user must authenticate using EITHER their password OR security questions (as noted in step 1) AND then security questions again, in the order specified. They chose and satisfied the password requirement, and now the Security questions page is displayed.

  4. Correctly answer the security question.

    You will be directed to the main menu.

    Both required authentication modules have been satisfied, and the user is successfully logged in.

If, during testing, you were prompted with a choice of password or security questions followed by the user's security questions and had to answer both correctly to gain entry, then you have completed the configuration correctly.

In this section: