Question set options
The following options apply to question sets:
Options marked with 
are for pre-defined question sets only.
Options marked with † are for external question sets only.
Option | Description |
|---|---|
ID | (Required) A unique identifier for the new question set. |
Description | (Required) The description that Bravura Security Fabric displays to users. |
Enabled | Select this checkbox to enable the question set for use with Bravura Security Fabric. This is enabled by default. |
⋆ Users allowed to edit answers | Select this checkbox to allow regular users to edit answers in a pre-defined question set. This is enabled by default. If disabled, this question set will not be accessible through the Update security questions (PSQ) module. |
† Users allowed to edit questions/answers | Select this checkbox to allow regular users to edit questions and answers in an external question set. If disabled, this question set will not be accessible through the Update security questions (psq) module. |
Minimum number of answered questions per user | (Required) The number of questions to which a user must provide answers. Set the value to 0 to make a question set optional. When you change this setting, Bravura Security Fabric automatically schedules the |
Answers in the set must be unique | Select this checkbox to prevent users from giving the same answer to two different questions. |
Help-desk permissions | Select a value to control how help-desk users can interact with questions and answers in this set:
|
Ask users to answer questions from this set | Select this checkbox to prompt users to answer questions from this set during authentication. |
Ask telephone users to answer questions from this set | Select this checkbox to prompt Phone Password Manager users to answer questions from this set during interactive voice response (IVR) authentication. |
Plugin for validating answers | (Optional) The plugin to test the strength of questions and answers when a user is updating their Question sets. This option is available in user-defined and pre-defined question sets. |
Number of questions to ask during authentication | (Required) Set the number of questions to randomly draw from this set to ask a user during authentication. The number of questions to ask cannot exceed the Minimum number of questions user profiles should contain . For an external question set, set this number to -1 if you want to get all questions from the external source.. |
Page number for question set to be displayed in | (Required) Users may be prompted to answer questions in a sequence of authentication pages. Type an integer in this field to make questions in this set appear before or after questions in other sets. The page number must be unique for external question sets. |
Algorithm to match answers during authentication | Select the algorithm to use when comparing the answers typed during authentication to the answers stored in the user’s profile:
|
† External program | (Required) The name of the external program, or authentication plugin , to run. See External question set plugin tasks. This option is only available for external question sets. |
† Check that user has an account on target system | Determines how Bravura Security Fabric identifies users on an external system. See Identifying users on external systems for details. |
† External program provides answers along with questions | Select this checkbox if an external program will provide both questions and answers for Bravura Security Fabric to display and validate. If this checkbox is not selected, then the program will accept answers from Bravura Security Fabric and validate them. This option is only available for external question sets. |
Note the following:
Questions from any of the question sets can only appear in the default security questions if the value for Number of questions to ask during authentication is greater than 0 and Ask users to answer questions from this set is checked.
To prevent the order of questions in a selected set from being randomized, set Number of questions to ask during authentication to -1. This is required for multi-stage question sets, since the order of entries is often required to be shown in a particular order.
If you enable, disable, or modify the Ask users to answer questions from this set option in a question set that is part of any custom authentication chains, then you must also modify the chains. See Using question sets with authentication chains for details.
Help-desk permissions
The possible values for the Help-desk permissions option are as follows:
Select this value … | So that help desk users … |
|---|---|
Not allowed to view security questions | Are not prompted to answer questions from this set when the HELPDESK_LOGIN authentication chain is disabled. This is regardless of their user access rules. |
Requires authentication with security questions | Can be prompted to answer questions from this set before being allowed to view a user’s profile in the Help users (IDA) module when the HELPDESK_LOGIN authentication chain is disabled. Disabling the HELPDESK_LOGIN authentication chain and using this option can be done for legacy / backward compatibility. Help desk users with the "Bypass security questions" right can choose to skip this step. |
Allowed to view security questions | Can view or edit the answers for a user’s question set after clicking on the Security questions tab from the user’s profile. Help desk users are not prompted to answer questions from this set when the HELPDESK_LOGIN authentication chain is disabled. Note: The global help desk rule is also required to have:
|
Help desk users are only able to view users’ answers in plain-text if:
The help-desk permissions setting for the question set is set to "Allowed to view security questions"
and,
The global help desk rule is configured so that the "View security questions" privilege is allowed.
If either the help-desk permissions setting is set to anything else or if the global help desk privilege is not enabled, then the help desk user will not be able to view the answers for the questions.
Help desk users will only be able to update the questions and/or answers for a users if:
The help-desk permissions setting for the question set is set to "Allowed to view security questions"
and,
The global help desk rule is configured so that the "Update security questions" privilege is allowed.
If either the help-desk permissions setting is set to anything else or if the global help desk privilege is not enabled, then the help desk user will not be able to update the user’s questions and/or answers.
Click below to view a demonstration of granting help-desk users the ability to view security questions and answers from a help-desk question set.
Algorithm for comparison of answers
The possible values for the Algorithm for comparison of answers option are as follows:
Select this value … | So that … |
|---|---|
Exact string match | Answers must match the stored profile character-for-character. |
Case-insensitive | Uppercase and lowercase letters are treated alike. |
Only alpha characters | Characters other than letters (digits, punctuation marks, spaces) are ignored when comparing what the user typed to the Bravura Security Fabric answers in this question set. |
Soundex algorithm | What the user typed must sound like what the profile contains. |
One extra character | What the user typed can differ from the stored answer by at most one character (missing, added or changed). |
N extra characters | What the user typed can differ from the stored answer by at most N characters (missing, added or changed), where N is the smallest integral value not less than 5% of the length of the stored answer. |
Using question sets with authentication chains
It is recommended that you modify and re-save any custom authentication chain (if it includes a module that uses security questions) whenever a question set is enabled, disabled, or modifies the Ask users to answer questions from this set option. This causes the authentication chain module to use the updated settings from the question set. If the custom authentication chain and associated security question modules are not modified after the question set changes, then there can be complications (described below).
If the Ask users to answer questions from this set option is deselected for one of the question sets, then that question set cannot be used for authentication to the Front-end using the default login authentication chain.
For example, if an enabled question set has the Ask users to answer questions from this set option deselected, and an authentication chain module is configured for use with a custom authentication chain, then that chain cannot be used for authentication unless it is configured to not use any questions from the set with this option deselected. Instead, users see an error message stating that that the authentication method is not accepted by the system. Authentication is still possible using the built-in security questions authentication method, but users are only prompted with questions from valid question sets. Any questions from the set that has the Ask users to answer questions from this set option deselected are not included in the authentication process. If all question sets have this option deselected, then users cannot log into the Front-end using any authentication method that involve security questions, including any custom authentication chains that require them. Only methods that do not involve security questions (such as password.pss) would be available for authentication in this case.
If a question set that is in use by an authentication chain is disabled or enabled, then the authentication chain module which uses this question set needs to be modified and re-saved before the new question set settings can be applied. Also, depending on what was modified, the module might need to be reconfigured to prompt for a different number of questions from the available question sets.
For example, if a question set is disabled, this could lower the number of questions available to an authentication chain configured to use that set. An error message appears if a user reaches a point in a custom authentication chain where a module is configured for security questions and one of the question sets is disabled. If that module is the score based challenge and response module, then the module itself is also unusable until it is reconfigured for the custom authentication chain. Once the module is modified, the values of its settings are automatically adjusted based on the question sets that are available. If the question set is re-enabled before the custom chain is modified, then the user is prompted with the number of questions defined within the set.
Troubleshooting question sets and authentication chains
If the custom authentication chain and associated security question modules are not modified after the question set is modified as described above, then the following can occur:
When the module is viewed in the authentication chain, the hover text for the parameters:
Still displays the old values from a previously-defined question set before it was disabled.
Does not display values for a question set that has been re-enabled, since it is using the default question set values.
When viewing the settings for the module without first disabling the chain, which is essentially a read-only format:
A disabled question set is no longer shown in the section for configured question sets.
A re-enabled question set is shown in the section for configured question sets, and is reset to Use question set setting.
If a user attempts to use an authentication chain that contains a security questions module with a disabled question set, then they will be unable to use the chain and will be presented with an error message stating that the authentication method is not accepted by the system. This also applies to help desk authentication if the chain is configured in the same way and a help desk user chooses this chain when authenticating on behalf of another user.
If a user attempts to use an authentication chain that contains a security question module with a re-enabled question set, then they will be prompted for the number of questions as previously defined by the re-enabled question set. This also applies to help desk authentication if the chain is configured in the same way and a help desk user chooses this chain when authenticating on behalf of another user.
Identifying users on external systems
When using an external question set, users must be properly identified on the external system. This external authentication plugin is only available to users who have an account on the specified target system; and is not displayed otherwise.
Enabling the Check that user has an account on target system option causes Bravura Security Fabric to verify that the user has an account on the specified target system.
If the specified target system is a source of profile IDs, then the user’s profile ID can be used to identify them on the external system.
However, if the specified target system is not a source of profile IDs and does not use standard IDs, then the user’s profile ID cannot be used to identify them on the external system, which is problematic. If both of these are true, then using the Check that user has an account on target system option passes the user’s target system login ID instead of the user’s profile ID, allowing them to be properly identified on the external system.
External question set plugin tasks
An external question set plugin program can interface with Bravura Security Fabric and the external system in several different ways. Depending on your question set configuration, a plugin can:
Provide questions – Bravura Security Fabric displays the questions provided by the plugin to users.
Provide both questions and answers – Bravura Security Fabric displays the questions provided by the plugin to users. Additionally, Bravura Security Fabric internally validates the users’ responses against the answers provided by the external program. In order for this to work, the External program provides answers along with questions checkbox must be selected.
Validate answers – The external system, rather than Bravura Security Fabric , determines whether users’ responses are valid. In order for this to work, the External program provides answers along with questions checkbox must not be selected.
Update users questions and answers on the external source – When users edit their questions and answers, the authentication plugin forwards their changes to the external source. In order for this to work, the Users allowed to edit questions/answers option must be selected.
See External question sets and authentication plugins for more information.