Oracle® Adaptive Access Manager Administrator's Guide Release 10g (10.1.4.5) Part Number E12055-03 |
|
|
View PDF |
The chapter provides an overview of the KBA (Knowledge Based Authentication). configuration and Oracle's Answer Logic algorithms. Steps for creating, importing, and exporting questions; using the KBA Validation Editor, and KBA security solutions, are also provided.
Topics covered include:
The default KBA configuration presents customers with three question menus. When a customer registers, he or she is required to select one question from each menu. These three questions become the customer's "registered questions". The KBA functionality enables you to manage these challenge questions.
To create a new question
On the Admin menu, point to KBA, point to Questions, and then click Create New Question.
The Create New Question page appears.
Type the new question in the question field.
Click in the Category box and select the category of question you want.
By default, there is no data in the Category menu. You must import the Security Questions zip files (oaam_kba_questions_<locale>.zip) for data to appear in the Category menu. You can also create a new category; data will appear in the Category menu.
In the Registration Validation list, click the type of registration validation you want.
Click in the Status box and select the status you want.
In the Answer Logic Hints list, click the type of Answer Logic Hint you want. These hints help the answer logic function more successfully on some questions, for example, on date related questions.
Click in the Locale box and select the language you want.
By default, the Locale menu displays English and 26 other default locale languages. For additional information on how to enable languages, see "Globalization Support" in the Oracle Adaptive Access Manager Installation and Configuration Guide.
Click Create.
The Question Detail page appears for the newly created question.
You can activate, disable, and edit a question on the Question Details page. If a question is disabled, new registrations will not get this question; customers who have previously selected this question are not affected. If you edit a question, customers using that question will receive the updated question.
To edit a question
On the List Questions page, click the wrench icon next the question you want to edit.
The Question Details page appears.
Make the changes you want and click Save.
On the List Questions page you can view a list of all challenge questions and search the question repository based on various criteria. The List Questions page provides access to the Questions Details page for any question.
On the Admin menu, point to KBA, point to Questions, and then click List Questions.
The List Questions page appears.
To display only the category of questions you want to view, in the Category list click the category you want and click Submit Query.
To display questions by registration validation you want to view, click the Registration Validation type from the list and Submit Query.
To display only questions with the type of answer logic hint you want to edit, in the Answer Logic Hint list click the type you want and click Submit Query.
To display only questions with the status you want to edit, in the Status list click the status you want and click Submit Query.
To find a specific question, in the Question ID box enter the ID of the question and click Submit Query.
To find a question by keyword, in the Question Keyword box enter the keyword and click Submit Query.
To find a question that was created or modified within a specific timeframe, click the calendar icons and select the From Date and To Date you want and click Submit Query.
To edit a question in the list, click the wrench icon to the left of the question you want to edit.
To delete, enable, or disable a question, select the check box to the left of the question and click the appropriate button above and below the list of questions.
You can search the question categories in the system based on various criteria.
To view question categories
On the Admin menu, point to KBA, point to Categories, and then click List Categories.
To display a specific question category, in the Category list, click the category you want and click Submit Query.
To display categories with a specific status, in the Status list click the status you want and click Submit Query.
To find a specific category, in the Category ID box enter the ID of the category and click Submit Query.
To find a category that was created or updated within a specific timeframe, click the calendar icons and select the From Date and To Date you want and click Submit Query.
To find all categories regardless of timeframe, select Ignore Dates.
To delete, enable, or disable categories, click the check box to the left of categories and select appropriate action button above and below list categories.
New registrations are not be presented with questions from the disabled category.
To import validations
On the Admin menu, point to KBA, point to Questions, and then click Import Validations.
The Import Validations page appears.
Click Browse and locate the Zip file of validations you want.
Click Import.
The Import Validations page appears with a list of the newly imported validations.
You can import Zip files of questions into the system. If you import questions that belong to a category not currently in the system, the category will also be imported. If you import a question with the same ID# as an existing question, the existing question will be overwritten.
To import questions
On the Admin menu, point to KBA, point to Questions, and then click Import Questions.
The Import Questions page appears.
Click Browse and locate the Zip file of questions you want.
Click Import.
The Import Questions page appears with a list of the newly imported questions.
To export questions
On the Admin menu, point to KBA, point to Questions, and then click Export Questions.
Enter search parameters to find the questions you would like to export.
Select the questions you want to export then click Export.
To export a delete script
On the Admin menu, point to KBA, point to Questions, and then click Export Questions.
Enter search parameters to find the questions you think you may want to delete in the future.
Select these questions and click Export Delete Script.
Export Delete Script enables you to export a delete script for the questions you have chosen. Later on, you can import the delete script to delete these questions.
Challenge questions are set up by the user during the registration process. They are used for additional authentication during high risk situations. Oracle's Answer Logic is used during the challenge response process.
An overview of Oracle's answer logic algorithms is presented below. The answer logic algorithms can be enabled or disabled using Oracle's Knowledge Based Authentication Configuration in Adaptive Risk Manager. The intensity or strength of some algorithms can also be configured.
This section also highlights the most common response errors and shows how Oracle's Answer logic algorithms are used for the system to intelligently detect the correct answers in the challenge response process.
The following answer logic algorithms are available for both the online challenge and phone challenge processes:
Abbreviations
Common abbreviations, common nicknames, common acronyms, and date format are handled by this algorithm.
Phonetics
Answers that "sound like" the registered answer, regional spelling differences, and common misspellings are handled by this algorithm.
Keyboard fat fingering
Answers with typos due to the proximity of keys on a standard keyboard are handled by this algorithm.
This section provides some examples of abbreviations, phonetics, and keyboard fat fingering.
Common abbreviations, common nicknames, common acronyms, and date format are handled by this algorithm.
Common Abbreviations
This algorithm will match the words in the following pairs as equivalent. Oracle has predefined list of word-pairs that cover common abbreviations, common nicknames and common acronyms. The list can be customized by updating properties file bharosa_auth_abbreviation_config.properties.
Street - St.
Drive - Dr.
California - CA
Common Nicknames
Oracle has a predefined list of the most common nicknames that is used in the challenge response process.
Timothy - Tim
Matthew - Matt
Date Format
The questions that require date as the answer specify the format in which the user should enter the answer. The format is either YYYY or MMDD, but not both. However, from experience, customers still use other formats during the challenge response process. The abbreviation logic for date format sees the following as the same:
0713
713
July 13th
July 13
July 13, 1970
Answers that "sound like" the registered answer, regional spelling differences, and common misspellings are handled by this algorithm.
The phonetics algorithm is only supported in English.
Common Misspellings
Oracle's Phonetic Answer logic algorithm accounts for misspellings.
ph - f
Correct word: elephant - Spelling mistake: elefant
Oracle's Fat Fingering algorithm accounts for typos due to the proximity of keys on a standard keyboard and transposed letters. Answers with typos due to the proximity of keys on a standard keyboard are handled by this algorithm.
The number of fat fingering characters allowed depends on the length of the original word and the level set. The algorithm returns a percentage score associated with the characters that have an exact match. The intensity will determine the minimum score required to match the answer with the registered answer.
The fat fingering algorithm is only supported in English.
Common Typos
Examples of Fat Fingering
Correct word: signature - Fat finger: signatire
KBA validations are executed at the time of question registration. Validations are used to validate the answers given by a user at the time of registration. Validations can be associated with each individual question or at the global level to be applied to all the questions presented to the user.
KBA Validation Editor provides the following functions:
Create validations based on the available validation schemes in the system
Edit existing validations
Import validations
Export validations
Delete validations
You can add a new validation to the system when needed.
To add a Validation
On the Admin menu point to KBA, point to Questions, and then click Validations.
The Validation List/Editor page appears.
In the Validation Scheme list, click the name of the validation scheme you want to add.
You might, for example, select the validation scheme "Maximum Length". This validation scheme allows the user to create a validation for the maximum allowed length for the answer.
The parameters of the validation appear in the "Validation Parameters" area.
In the Name box, enter the name you want for this instance of the validation scheme.
When you create a validation from available validation schemes in the system, you are adding an instance of validation. You can then customize that instance.
In the Allowed Characters box, specify validation parameter.
For example, validation parameter can be '30' for an instance of "Maximum Length" validation. This validation instance will restrict user to enter answer longer than 30 characters in length.
See Table 9-1, "Validation Parameters" for a description of validation parameters for each validation scheme.
In the Error Message box, specify the error message to be given to user when the answer given by user is not passing the validation condition.
For example, error message can be "Your answers may not be more than thirty characters long." for an instance of "Maximum Length" validation.
Click Add.
Adaptive Risk Manager Online adds this validation instance to the list of validations in the System.
Table 9-1 Validation Parameters
Validation Scheme/Type | Description for Validation Parameter |
---|---|
Minimum Length |
Minimum length (number) for the answer. If length of the answer entered by user is less than the configured value then validation will fail and user will get configured error message. |
Maximum Length |
Maximum allowed length (number) for the answer. If length of the answer entered by user is above the configured value then validation will fail and user will get configured error message. |
Date |
Date/Time pattern string for the answer. For example, pattern can be "MMddyy" for Month Day Year validation. If the date/time answer entered by user is not as per the configured pattern then validation will fail and user will get configured error message. |
Regex |
Regex pattern string for the answer. For example, pattern can be "[ A-Za-z0-9]+" for Alpha-numeric validation. If the answer entered by user is not as per the configured regex pattern then validation will fail and user will get configured error message. |
Repeated Character |
Allowed number of repeated characters in the answer. If the answer entered by user is containing repeated characters more than the configured value then validation will fail and user will get configured error message. |
Repeated Answers |
Allowed number of repeated answers. For example parameter value can be '1' for Unique answer validation. If the answer entered by user is repeated more than configured number of times then validation will fail and user will get configured error message. |
To edit existing validation
On the Admin menu point to KBA, then Questions and then click Validations.
The Validation List/Editor page appears
Click the Validation name which you want to edit.
The Validation customization section appears above the list of validations.
Make necessary changes in Validation Parameters. See Table 9-1, "Validation Parameters".
The Validation customization section allows user to edit Name, Allowed Characters, and Error Message fields.
Click Save
Adaptive Risk Manager Online updates this validation instance in the system.
To import validations
On the Admin menu, point to KBA, point to Questions, and then click Import Validations.
The Import Validations page appears.
Click Browse and locate the Zip file of validations you want.
Click Import.
The Import Validations page appears with a list of the newly imported validations.
To export validation(s)
On the Admin menu point to KBA, then Questions and then click Validations.
The Validation List/Editor page appears.
Click the check box next to each validation you want to export.
Toggle button "Select All" helps select/deselect all the validations.
Click Export button available above/below the list of validations.
Click OK to the confirmation.
The Open dialog box appears.
Click Save To Disk and then click OK.
The select validation(s) are exported.
To delete validation(s)
On the Admin menu point to KBA, then Questions and then click Validations.
The Validation List/Editor page appears.
Click the check box next to each validation you want to delete.
Toggle button "Select All" helps select/deselect all the validations.
Click Delete button available above/below the list of validations.
Click OK to the confirmation.
The select validation(s) are deleted.
In the Registration Logic area you can manage and configure the registration for challenge questions and answers. To do so, you enter values for the Question Set generation and any global validations needed.
To view and configure the registration for challenge questions and answers
On the Admin menu, point to KBA, point to KBA Logic, and then click Registration Logic.
The Registration Logic page appears.
To enter or change the values for the question set generation, enter a value in the appropriate field at the top of the page.
You can specify the:
Number of questions that a user needs to register
Number of questions that appear on each menu
Number of categories per menu
Note:
Enter realistic numbers. For example, the number of questions that a user needs to register should be 3 to 5 questionsTo add global validations, in the Available Validations box, click the validation you want to add and then click Add.
The validation appears in the Global Validations box.
To delete a global validation, in the Global Validations box, click the validation you want to delete and then click Delete.
Click Save.
The KBA answer logic configuration screen includes controls for the level of each Answer logic algorithm used for answer validation. The higher the level the less exact answers need to be for acceptance.
You can configure the answer logic (fuzzy logic) algorithms on the Answer Logic page. The algorithms are divided into three categories: Common Abbreviations, Fat Fingering (accidentally pressing the nearest neighbor on the keyboard), and Phonetics.
On the Admin menu, point to KBA, point to KBA Logic, and then click Answer Logic.
The Answer Logic page appears.
Click in the Authentication Type box and specify whether you want the configuration to apply to the Online challenge or CRS Phone Challenge.
You can specify different settings for online and phone challenge.
To change the level of answer logic used for a category, select Off, Low, Medium, or High: the lower the setting the higher degree of exactness required.
Click Save.
The level of Answer logic used to evaluate answers given for challenge questions is adjustable through Adaptive Risk Manager. You can enable or disable each algorithm. In addition, you can also specify the following level of algorithm used:
Off – No Answer logic is used; answers must exactly match those previously registered by the user.
Low – Less Answer logic; answers must be more exact
Medium – More Answer logic
High – Highest level of Answer logic
Each algorithm generates a score that represents how close the given answer is to the registered answer. Adaptive Risk Manager can be configured to accept different threshold score ranges for each algorithm individually. Separate threshold values for each algorithm (low/medium/high) are set in a properties file. Below are the default thresholds.
Abbreviation:
Return values: 0 or 100 (no-match OR match)
Levels: OFF, LOW (100), MEDIUM (100), HIGH (100)
Logic
If an abbreviation entry exists linking the given strings, score is 100
Else score is 0
Fat finger:
Return values: range 0 to 100
Levels: OFF, LOW (90+), MEDIUM (75+), HIGH (60+)
Logic
If the string lengths don't match, score is 0
If a position does not have the expected character or its neighbor, score is 0
Else compute the number of positions that have the neighboring characters.
Score = (StringLength – NeighborPositionCount) * 100 /StringLength
Phonetics:
Return values: 0, 60, 75, 90
Levels: OFF, LOW (90), MEDIUM (75), HIGH (60)
Logic
Compute primary and alternative phonetic keys for the given strings, using DoublMetaphone algorithm
If primary keys of both strings match, score is HIGH
Else if a primary key of one of the strings and alternate key of the other string match, score is MEDIUM
Else if the alternate keys of both string match, score is LOW
Else the score is 0
Multiple word answers
Answers that contain multiple words are treated in a specific way by the answer logic. If the final score from a complete string match does not meet the "success" criteria, individual words in the answer are evaluated. If each individual word in an answer is accepted by any of the algorithms the whole answer is accepted.
Multiple word answers with missing/extra words must be an exact match to the registered answer. Answers must have the same number of words as the registered answer to be evaluated with Answer logic.
For example: If the registered answer is "Mead Elementary School" and the answer given at the time of challenge is "Mesd Elem Sch":
Abbreviation: Mead–Mesd=0; Elementary-Elem=100; School-Sch=100 Fat-finger: Mead-Mesd=75; Elementary-Elem=0; School-Sch=0 Phonetics: Mead-Mesd=0; Elementary-Elem=0; School-Sch=0
Let's assume that abbreviation was set to anything besides off and fat fingering was set to medium or high. Since all three words would be accepted individually the whole answer would be accepted.
A hint can be added to questions individually to affect the answer logic used to evaluate given answers. This is done to better tune the logic for the type of question. This is especially important for date related questions.
For example, if a question has the date answer hint applied then the abbreviations, phonetics and fat fingering answer logic will run first then special date format logic will be applied.
These recommendations provide guidelines for implementing KBA authentication. They provide guidance to institutions for configuring and implementing custom enrollment and challenge procedures within the guidelines of best practices.
No confidential data used in question.
Answers are difficult to guess.
Answers cannot be obtained from public sources.
Questions that are applicable to general public.
Answers are memorable/personally significant.
Questions where answers can change over time are avoided.
Questions cannot pertain to religion, politics, taboo subjects, and so on.
Answers must be at least 4 characters.
No more than 2 answers can be the same during registration.
Answers cannot have more than 2 repeating characters.
Special characters are not allowed.
Answers are not case sensitive.
Extra white spaces are removed.
Fuzzy logic implemented - degree configurable by client.
Unique pick set for each customer.
Register 3-5 questions. i.e. 15 total questions to select from, 3 drop down menus of 5 questions each.
Maximum of 2 questions from the same category in a drop-down menu.
Maximum opt-out - i.e. 3 opt-out attempts before "force" registration.
When challenged, the same question is to be presented until user responds correctly or question is reset by customer service agent.
Can KBA collection be limited to low-risk transactions?
KBA registration can be deferred if the login conditions are risky. The administrator can update the registration model based on his requirements.
How can an administrator configure the system so that if a user continues to come from a high-risk location, and so on, he will be blocked after a defined time period and collection will be performed by a customer service representative?
The administrator can add a new action—for example "risky_session"—and add a rule—for example "action count"—to force a block after a specified number of risky sessions?
How can the administrator configure the system so that the user can choose to skip the collection process "n" number of times?
The administrator will need to add a rule—for example, "action count"—and force registration after a specified number of skips.
Many validations may be applied locally or globally. You must be careful not to apply any validations globally that you do not want to influence all answer registration. For example, if the "Four digit year (YYYY)" validation is applied globally then only for numeral answers will be accepted during KBA registration. This would be a problem if there are questions available to users that would normally have alphanumeric answers.
You can create, edit, and delete questions and categories. You should take care when deleting categories and questions. Insufficient numbers of questions and categories can impact the security of the solution and cause usability issues. For example, if the "Categories per menu" registration logic is set to a number that is more than the total number of categories in the system then there may be duplicate questions listed. This can be confusing to end users so it should be avoided.
For security and usability reasons set the "Questions per menu" setting between 4 and 7. This range provides a good mix of questions in a user's question set but does not expose too many questions to any single user.
The "Questions user will register" setting should be between 3 and 5. This provides enough questions to offer good security but does not over burden a user's memory. The basic industry standard for KBA is 3 registered questions.
It is recommended that you completely configure all of the challenge questions, including locale, before making the question available to customers.
If you disable a challenge question, customers who previously had that question will continue to have the question even after it is disabled. However, users that are registering for the first time or re-registering will not be presented with the disabled question.