Oracle Adaptive Access Manager uses knowledge-based authentication (KBA) to prompt users for information by using challenge questions. An individual must provide previously registered answers during authentication.
This section provides guidelines for enabling challenge questions. Topics include
Knowledge-based authentication (KBA) is a form of secondary authentication where during authentication, the user is prompted by challenge questions and must provide previously registered answers.
Since KBA is a secondary authentication method it should only be presented after successful primary authentication. KBA challenge is necessary in medium to high risk situations. Challenging users too often and without significant risk degrades the user experience and possibly the security. The goal is to challenge users often enough so they can successfully recall their answers but not so often that they view it as a hindrance. As well, displaying the questions excessively increases the slim possibility of exposure to fraudsters through over-the-shoulder or some other attack. In general, a challenge roughly every month for a normal user is a good rate. Suspicious users should be blocked and should not have access to the system.
A phased rollout KBA is necessary to help ease the transition for the organization and the users. Spacing out the rollout allows for an important learning period and lessens the impact to customer service.
The user is not registered and there is little change to the user experience.
The user can choose to register.
The user must register an image, a phrase, and challenge questions to be stored in a customer profile.
The most successful phased approach generally includes these phases. The first two generally last between one and three months each depending on user population size and composition.
Phase one generally consists of Oracle Adaptive Access Manager risk evaluation. In this phase there is little change to user experience. Users continue to access through the existing methods. The only slight change to user experience is a block. Blocking is recommended in the phase for extremely high-risk situations. With blocking actions applied OAAM Admin can start to prevent fraud from day one. Since only very severe security violations are blocked normal users should not experience issues with them. Phase one can last any length of time desired by the business. Generally organizations stay in phase one for one to three months.
Phase two is the gradual introduction of the virtual devices and secondary authentication to the user population. In this phase registration is made available to the population or sub-populations of existing users on an optional basis. This opt-in allows users to register when they have time and feel comfortable. Brand new users should be given the option to register as soon as they are created. This strategy helps to distribute load on support over a period and to add convenience for users.
The user is prompted to register for challenge questions after successfully authenticating at sign-on. The user can choose to bypass registration and then proceed into the session.
Breaking up a rollout phase into sub-groups can further ease efforts. In large deployments staggering is advised. Phase two is generally the best time to implement staggering. The most common staggering has the following steps.
The user population is broken into groups. Geographic region is the most often used basis for this grouping
Staggered start dates are configured for each group.
To enable optional registration, link the Post-Auth Flow Phase 2 policy to the user group that you want KBA to be enabled for.
Phase three closes the door on the opt-in registration process. This phase is the transition to normal registration procedure that is used going forward for all users. For this reason phase three has no end. Any existing users that have not registered yet must complete registration before they can access the protected applications.
The user is prompted to register for challenge questions after successfully authenticating at sign-on. User proceeds into session after registration is complete.
To enable required registration, link the Post-Auth Flow Phase 3 policy to the user group that you want KBA to be enabled for.
If the user group was linked to "Post-Auth Flow Phase 2" policy earlier, that linkage should be removed.
The following chart presents a checklist for enabling challenge questions.
| Task | [ ] |
|---|---|
|
Import the OAAM Snapshot |
[ ] |
|
Link the appropriate policies to the user group that you want KBA to be enabled for. |
[ ] |
|
Ensure KBA properties are set |
[ ] |
|
Change the rules within the registration and challenge policies with appropriate actions |
[ ] |
|
Configure the challenge question answer validation using OAAM Admin |
[ ] |
|
Configure the Answer Logic using OAAM Admin |
[ ] |
A full snapshot of policies, dependent components and configurations is shipped with Oracle Adaptive Access Manager. The snapshot is in the oaam_base_snapshot.zip file and located in the MW_HOME/IDM_ORACLE_HOME/oaam/init directory.
If you are using pre-packaged policies, ensure that the OAAM snapshot has been imported. If you are not using pre-packaged policies, use this chapter as a guideline for enabling challenge questions.
To import the snapshot, refer to the instructions in Section 2.6, "Importing the OAAM Snapshot."
Ensure the bharosa.kba.active property is set to true. For instruction on how to set properties, refer to Section 28.6, "Editing the Values for Database and File Type Properties."
The challenge questions must be present in Oracle Adaptive Access Manager before the users can be asked to register. Challenge questions are included in the OAAM snapshot. For information on importing the snapshot which contains the questions, see Section 2.6, "Importing the OAAM Snapshot."
Ensure that KBA security policies that pertain to your business and security needs are loaded on your system. Link them to a user group to which you want KBA to be enabled.
For example, if you want the system to be able to challenge a user over the phone through a Customer Service Representative (CSR), you must import and enable the System CC Challenge Policy.
Note:
If you have a policy customized, ensure that you do not import that policy again. Doing so breaks the policy that you had customized.
If you are using OAAM pre-package policies, enable phase 2 scenarios by adding the user group to which you want KBA to be enabled to Phase 2 pre- and post- authentication policies.
Phase 2 provides optional registration scenarios that you may want to try out with users. If you find that the users like to use the registration process, you may add the scenarios to your authorization process.
Phase 2 introduces much more user experience changes and includes the use of virtual authenticators for credential input. They are in charge of securely collecting the login details, and facilitating registration/challenge.
To enable Phase 2 scenarios
Ensure that "Active" has been chosen for the status of the policy.
Ensure that all the rules in the policy are active.
Ensure that the user group to which you want KBA to be enabled has been selected for the Run Mode option.
Refer to Section 10.9.1, "Linking a Policy to a Group."
Note that it is important to ensure that the phase you are in corresponds to the policies you have your users linked to within OAAM Admin.
Change the rules within the registration and challenge policies with appropriate actions.
For example, assign a challenge action as one of the actions you want triggered.
For information, refer to Section 10.12.5, "Specifying Results for the Rule."
Validations are used to validate the answers given by a user at the time of registration. For answers, you can restrict the users to alphanumeric and a few specific special characters by adding a Regex validation.
For information, see Section 7.6, "Setting Up Validations for Answer Registration."
The Answer Logic settings can be configured for the exactness required for challenge question answers. For example, high risk transactions such as wire transfers may require a high degree of certainty (i.e. exact match) whereas accessing personal, non-sensitive information may require a lower degree of response certainty.
Configure the Answer Logic for answering threshold/tolerance, such as the level of fat fingering, typos, abbreviations, and so on.
For information, see Section 7.9, "Adjusting Answer Logic."