7 Enabling Challenge Questions

Oracle Adaptive Access Manager uses knowledge-based authentication (KBA) to prompt users for information by using challenge questions. An individual must provide previously registered answers during authentication.

This section provides guidelines for enabling challenge questions. Topics include

7.1 What is KBA?

Knowledge-based authentication (KBA) is a form of secondary authentication where the user answers personal questions to confirm identity. The user is prompted for information by using challenge questions and must provide previously registered answers during authentication. Questions can vary, and each response is encrypted at the point of entry to accurately and securely confirm identity and prevent fraud.

Since KBA is a secondary authentication method it should only be presented after successful primary authentication. KBA challenge is necessary in medium to high risk situations. Challenging users too often and without significant risk degrades the user experience and possibly the security. The goal is to challenge users often enough so they can successfully recall their answers but not so often that they view it as a hindrance. As well, displaying the questions excessively increases the slim possibility of exposure to fraudsters through over-the-shoulder or some other attack. In general, a challenge roughly every month for a normal user is a good rate. Suspicious users should be blocked and should not have access to the system.

7.2 Phased Approach for Registration

A phased rollout KBA is necessary to help ease the transition for the organization and the users. Spacing out the rollout allows for an important learning period and lessens the impact to customer service.

  • In the first phase, the user is not registered and there is little change to the user experience.

  • In the second phase, the user can choose to register.

  • In the third phase, the user must register an image, a phrase, and challenge questions to be stored in a customer profile.

The most successful phased approach generally includes three phases. The first two phases generally last between one and three months each depending on user population size and composition.

7.2.1 Phase 1 - No Registration

Phase one generally consists of Oracle Adaptive Access Manager risk evaluation. In this phase there is little change to user experience. Users continue to access through the existing methods. The only slight change to user experience is a block. Blocking is recommended in the phase for extremely high-risk situations. With blocking actions applied OAAM Admin can start to prevent fraud from day one. Since only very severe security violations are blocked normal users should not experience issues with them. Phase one can last any length of time desired by the business. Generally organizations stay in phase one for one to three months.

7.2.2 Phase 2 - Optional Registration

Phase two is the gradual introduction of the virtual devices and secondary authentication to the user population. In this phase registration is made available to the population or sub-populations of existing users on an optional basis. This opt-in allows users to register when they have time and feel comfortable. Brand new users should be given the option to register as soon as they are created. This strategy helps to distribute load on support over a period and to add convenience for users.

User Experience

The user is prompted to register for challenge questions after successfully authenticating at sign-on. The user can choose to bypass registration and then proceed into the session.

Staggered Rollout

Breaking up a rollout phase into sub-groups can further ease efforts. In large deployments staggering is advised. Phase two is generally the best time to implement staggering. The most common staggering has the following steps.

  • The user population is broken into groups. Geographic region is the most often used basis for this grouping

  • Staggered start dates are configured for each group.

Enable Optional Registration

To enable optional registration, link the Post-Auth Flow Phase 2 policy to the user group that you want KBA to be enabled for.

7.2.3 Phase 3 - Required Registration

Phase three closes the door on the opt-in registration process. This phase is the transition to normal registration procedure that is used going forward for all users. For this reason phase three has no end. Any existing users that have not registered yet must complete registration before they can access the protected applications.

User Experience

The user is prompted to register for challenge questions after successfully authenticating at sign-on. User proceeds into session after registration is complete.

Enable Required Registration

To enable required registration, link the Post-Auth Flow Phase 3 policy to the user group that you want KBA to be enabled for.

If the user group was linked to "Post-Auth Flow Phase 2" policy earlier, that linkage should be removed.

7.3 Checklist for Enabling Challenge Questions

The following chart presents a checklist for enabling challenge questions.

Task [ ]
Ensure UIO base policies are installed [ ]
Link the appropriate policies to the user group that you want KBA to be enabled for. [ ]
Ensure KBA properties are set [ ]
Upload the challenge questions using OAAM Admin [ ]
Import and enable policies for your security and business needs [ ]
Change the rules within the registration and challenge policies with appropriate actions [ ]
Configure the challenge question answer validation using OAAM Admin [ ]
Configure the Answer Logic using OAAM Admin [ ]

7.4 Ensuring that Base Policies are Installed

If you are using pre-packaged policies, ensure that the base policies are installed. If you are not using pre-packaged policies, use this chapter as a guideline for enabling challenge questions.

Oracle Adaptive Access Manager is shipped with default policies packaged into two ZIP files.

The default policies are available in oaam_init in the MW_HOME/IDM_ORACLE_HOME/oaam/init directory.

If you want to use these policies, import them into your system by following the instructions in Section 9.16.2, "Importing a Policy."

7.5 Ensuring KBA Properties/Default Properties are Set

Ensure the bharosa.kba.active property is set to true.

7.6 Uploading Challenge Questions

The challenge questions must be created in OAAM Admin before the users can be asked to register. The Oracle Adaptive Access Manager package contains the challenge questions, in 27 languages, in ZIP files. Import questions for appropriate locales for your deployment.

For information on importing Challenge Questions, see Section 2.5, "Importing Challenge Questions."

7.7 Importing and Enabling Policies

Import KBA security policies that pertain to your business and security needs and link them to a user group to which you want KBA to be enabled.

For example, if you want the system to be able to challenge a user over the phone through a Customer Service Representative (CSR), you must import and enable the System CC Challenge Policy.


If you have a policy customized, ensure that you do not import that policy again. Doing so breaks the policy that you had customized.

7.8 Configuring Rules for Policies

Change the rules within the policies for your needs.

7.9 Configuring the Challenge Question Answer Validation

Validations are used to validate the answers given by a user at the time of registration. For answers, you can restrict the users to alphanumeric and a few specific special characters by adding a Regex validation.

For information, see Section 6.6, "Setting Up Validations for Answer Registration."

7.10 Configuring the Answer Logic

The Answer Logic settings can be configured for the exactness required for challenge question answers. For example, high risk transactions such as wire transfers may require a high degree of certainty (i.e. exact match) whereas accessing personal, non-sensitive information may require a lower degree of response certainty.

Configure the Answer Logic for answering threshold/tolerance, such as the level of fat fingering, typos, abbreviations, and so on.

For information, see Section 6.9, "Configuring the Answer Logic."