Question sets
Security questions can be used in three basic ways:
As an authentication factor for end users.
To assist help-desk users in identifying callers by asking them to answer some of their previously defined questions.
To allow help-desk users access to profiles without authenticating callers, but allow them to see questions and answers for informal authentication.
Best practice
Security question authentication is weak and subject to social engineering risks. Bravura Security recommends using alternative authentication methods that are more secure but understands that some product deployments still use them as a factor. Where used, Bravura Security only considers the risks of security questions acceptable for Bravura Pass and Bravura Identity deployments, but not for Bravura Privilege.
Bravura Security recommends configuring at least two question sets for enhanced security:
Question set 1: used by end users to authenticate themselves. No other users will have access to this question set in any way.
Question set 2: used by help-desk users to authentication end users.
You can define and use combinations of question sets that include:
User-defined questions | Users create their own questions and answers. Bravura Security Fabric includes a default user-defined question set, DEFAULT_USERQSET. |
Pre-defined questions | Users provide answers to pre-defined questions that they choose from a list. Bravura Security Fabric includes a default pre-defined question set, DEFAULT_PREDEFQSET, which contains sample questions. It is intended that product administrators define additional questions that are highly secure. |
External questions | Questions, or both questions and answers, are stored in an external source, such as RSA Authentication Manager or LDAP directory, and retrieved by a plugin. |
Note
If you are using security questions as an authentication method, ensure that the Update security questions (PSQ) module is enabled, otherwise users cannot complete their security question profiles.