7 Managing Knowledge-Based Authentication

Knowledge-based authentication (KBA) is a method of authentication which is used to challenge the user to prove identity before allowing them to proceed with their requested sign-on, transaction, service, and so on. This chapter introduces you to the concepts behind KBA and provides information about managing tasks that impact challenge questions, validations and levels of logic algorithms used for answers, question categories, and levels of logic algorithms used for registration.

This chapter contains the following sections:

Introduction and Concepts
Accessing Configurations in KBA Administration
Setting Up KBA
Managing Challenge Questions
Managing Validations in the System for Answer Registration
Managing Categories
Deleting Global Validations In Registration Logic
Customizing English Abbreviations and Equivalences for Answer Logic
KBA Scenarios
KBA Guidelines and Recommended Requirements

7.1 Introduction and Concepts

This section describes knowledge-based authentication (KBA) key concepts.

7.1.1 Knowledge-Based Authentication

Oracle Adaptive Access Manager provides as standard secondary authentication in the form of knowledge-based authentication (KBA). KBA is a secondary authentication method, an extension to the existing authentication method. It is presented after successful primary authentication (for example, a user entering a single factor credentials, such as a user name and password) to improve authentication strength.

KBA provides an infrastructure for

Users to select questions and provide answers which are used to challenge them later on

KBA is used to authenticate an individual based on the user's answers substantiated by a real-time interactive question and answer process.
Levels of logic algorithm for registration

Registration Logic manages the registration of challenge questions and answers.
Levels of logic algorithm for answers

Answer Logic is made up of advanced matching algorithms (fuzzy logic) used by the system to intelligently detect the correct answers in the challenge response process. The algorithms and the level of Answer Logic are factors in evaluating answers.
Validations

Validations are used to validate the answers given by a user at the time of registration.

KBA is used during online authentication of the user, which is automated, or a CSR challenge where the CSR interacts with the user to authenticate him before providing CSR services.

7.1.2 KBA User Flows

The following sections illustrate an example user experience with the KBA framework.

New User Registration

The user is presented with a page in which he is asked to submit his user name.
The user is prompted to enter his password. Since a profile has not been registered, a generic textpad is displayed. It does not contain an image or phrase, but it does contain a timestamp.
The user fills in the password and clicks the Enter button on the device. OAAM verifies the user's password.
If the user is not register, he sees a registration information page that describes the registration process.

He can continue through the registration process or "skip" registration and perform the process at another time.
The next step in the registration process is the selection of an image and phrase. The user may click the link to Get a new image and phrase, which will generate a new image and phrase.
Next the user is required to select challenge questions from the dropdown lists (menus) provided, and enter the answers to those questions in the authentication device. His selected image and phrase is embedded in the device along with a current timestamp of his local timezone.
After the questions are selected and answers are provided, the user is logged in to the system.

User Logs in from Different Location

The following screens illustrate an example of the user flow when he logs in using a different IP address and he is challenged.

The user is presented with a page in which he is asked to submit his user name.
If the user name is accepted and the user is allowed to proceed, he is presented with a password page which contains his selected image and phrase embedded in the device along with a current timestamp of his local timezone.
The user fills in the password and clicks the Enter button on the device. OAAM verifies the user's password. Since OAAM determined the session requires an additional challenge/response for authentication because of the user's location, one of the questions he had selected in registration is displayed. The Challenge Question Authentication Pad device has phishing image and phrase embedded along with a current timestamp.
The user answers the question correctly and is then logged in to the system.

7.1.3 Registration

During registration, which could be enrollment, opening a new account, or another events such as a reset, the user is asked to select questions and provide answers. The order of questions that are presented to a user during the registration phase is random using configurable parameters.

Later on, the challenge questions selected at registration or during a reset may be used for challenge during high risk log ins, to access transactions, or sensitive information, or both, and so on. Oracle Adaptive Access Manager's Rules Engine and business rules are responsible for determining if it is appropriate to use challenge questions to authenticate the user.

7.1.4 Challenge Response Process

The KBA solution consists of securing an application using a challenge/response process where users are challenged with one or more questions to provide identity before they are allowed to proceed with their requested sign-on, transaction, service, and so on.

7.1.5 Challenge Response Configuration

The challenge/response process is controlled by a combination of properties and rules.

Question presented at random or round robin

Presentation logic (random versus round robin) is configurable through properties. If the deployment supports Oracle Identity Manager integration, the presentation is round robin. The user is expected to answer all the registered questions online.
The number of attempts a user is allowed for each question is set by a property.
The total number of KBA challenge failures a user is allowed before he is locked out by Oracle Adaptive Access Manager is configured in the rule condition, User: Challenge Channel Failure.

7.1.6 Challenge Questions

The customer can configure a set of questions that are used to authenticate users. The Questions are grouped into several categories and the user can select questions from these categories. The standard categories that questions can be grouped into are listed. The customer can configure questions from these categories.

Childhood
Sports
Your Birth
Parents, Grandparents, Siblings
Automobile
Education
Children
Your Employment
Significant Other
Pets
Miscellaneous

During registration, users are presented with several question menus. For example, he may be presented with three question menus. A user must select one question from each menu and enter answers for them during registration. Only one question from each question menu can be registered. These questions become the user's "registered questions."

When rules in OAAM Admin trigger challenge questions, the application displays the challenge questions and accepts the answers in a secure way for users. The questions can be presented in the QuestionPad, TextPad, and other pads, where the challenge question is embedded into the image of the authenticator, or simple HTML. These are configured through properties.

7.1.7 Question Set

KBA offers a large pool of questions, which is the framework for obtaining answers from the user during registration or reset. The Question Set is a fixed set of questions that is allotted to the user. This set is allotted at random and once for the user unless it is reset. It is generated based on the settings configured in the Registration Logic. This Question Set prevents any single user from having access to all the challenge questions. This is to prevent a fraudster from harvesting questions for use in a phishing exercise. A user can receive a new Question Set if a customer service representative resets it for the user.

7.1.8 Registration Logic

Registration Logic manages the registration of challenge questions and answers. During KBA registration each user is presented with a Question Set, a subset of the challenge questions library. The Question Set is generally broken up into several dropdown lists that contain questions to select from. The dropdown lists with questions is called a "menu."

Figure 7-1 Security Questions Registration Dropdown Menus

Description of "Figure 7-1 Security Questions Registration Dropdown Menus"

The number of questions that appear on each menu, the number of categories per menu, and the number of questions that a user must register is configurable. As standard, questions are grouped into categories. The challenge questions in the questions menus do not change unless the question set is changed. The user is required to select one question from each menu and enter answers for them. Only one question from each question menu can be registered.

To configure the Registration Logic, you specify the settings for:

The question set generation
- The number of questions to be registered
- The number of questions per menu
- The number of categories per menu
The Question Set is generated based on the Registration Logic.
The validations that are applied to the answers

For information on setting Registration Logic, see Section 7.3.7, "Configuring Registration of Challenge Questions."

How does the KBA Registration Logic Settings Affect a Customer's Question Set?

Example configurations are presented in the following table.

Example	Question/Menu	Categories/Menu	Questions/Category in a Menu
1	7	4	2+2+2+1
2	10	4	3+3+2+2
3	10	1	10

Example #1, shown on line 1, results in registration menus containing 2 questions from category A, and 2 questions from category B, and 2 questions from category C, and 1 question from category D. This continues in a round robin fashion as needed. If there are any categories with an insufficient number of questions or an insufficient number of categories duplicate questions can result. This scenario does not occur with the standard database of questions and default settings. It only occurs if you significantly reduce the questions or categories.

The following is an example of a configuration to avoid:

Number of questions user registers: 3

The number of questions that a user must register. The new user registration should display the same number of question menus as the number of questions that a user must register.
Number of questions per menu: 5

The number of questions that appear on each menu. The new user registration should display the same number of questions in each menu as the number of categories for each menu. The total number of questions from all the menus (number of questions multiplied by the questions in each menu) cannot exceed the total number of questions available in the database.
Number of categories per menu: 5

The number of categories per menu. The new user registration should display the same number of categories for each menu as the number of questions in each menu.

The Question Set is the fixed set of questions that is allotted to the user. This set is allotted at random and once for the user. This prevents the user from discovering all the questions. In the example, fifteen or more categories are required, each with at least one question enabled. But if there are fewer than 15 categories and one of these categories has only one question enabled, some Question Sets have that question twice. The algorithm tries to use as many available categories as possible.

For example to generate a Question Set with:

3 menus
5 questions per menu
5 categories per menu

The algorithm tries to pick one question each from 15 categories if 15 categories are available. The minimum number of questions per category should be equal to the number of questions in the Question Set divided by the total number of categories.

Pre-requisite for Configuring Registration Logic for Locales

The deployment administrator must ensure that there are enough questions in the database for each of the supported locale as configured in OAAM Admin during deployment; otherwise, the application displays only the English language questions during registration.

The number of locale-specific questions must be equal to or greater than the "Questions User Will Register" multiplied by the "Questions per Menu" multiplied by the "Categories per Menu."

7.1.9 Validations

Validations are used to validate the answers given by a user at the time of registration. For answers, you can restrict the users to alphanumeric and a few specific special characters by adding a Regex validation. For example, if the question, "What year did you start junior high school," is assigned the Month-Day-Year (MMDDYY) validation, a user registering for this question is not allowed to provide "April 1st 1920" for the answer. Validations can be at the local level, to associated with each individual question, or at the global level, to be applied to all the questions presented to the user.

There are no automated validations to ensure that question specific validations and global validations do not conflict. Administrators must take care not to configure the same validations for local and global. For example, validation for a question should not be set to numeric only if the alpha only is set as a global validation.

Question Registration Validation (Local)

Each question can be assigned unique validations to control the answers a user is allowed to register. For example, if the business team wants to force users to answer a particular question using a specific date format.

The scope of validations applied to an individual question is local. Local validations are specified during the creation of a question.

Global Registration Validation (Global)

Global validations control the answers a user is allowed to register for all questions. Global validations influence all answer registration. For example, if the "Four-digit year (YYYY)" validation is applied globally then only numeral answers are accepted during KBA registration. This would be a problem if there are questions available to users that would normally have alphanumeric answers.

Global validations are specified during the configuration of Registration Logic.

Global-Local Validation

The scope of validations can be applied to individual questions or a combination of questions.

7.1.10 Answer Logic

Answer Logic checks to see if the answer provided by the user matches closely to the ones provided during registration.

Answer Logic is made up of advanced matching algorithms used by the system to intelligently detect the correct answers in the challenge response process. The algorithms and the levels of logic are factors in evaluating answers.

Errors can be caused by simple input errors such as fat fingering, extra characters, misspellings, and so on. Common misspellings and abbreviations for example can be accepted if the basic information of the answer is correct.

Answer Logic algorithms are available for both the online challenge and CSR phone challenge processes. Online settings are applied for answers the user provided online using the application. Phone challenge settings are applied for answers provided by users over the phone and entered by the CSR. The online challenge and CSR phone challenge Answer Logic are completely independent of each other. They can be configured separately.

For example, you can set the online challenge logic strength to high and the CSR phone challenge logic strength to low. For the CSR phone challenge logic strength, you may have provided more margin for error, because CSRs are listening to the answers over the phone and entering the answers.

7.1.11 Failure Counters

Failure counters are used to lock out fraudsters so that they are unable to obtain the answers/questions.

KBA uses two failure counters. They are:

the Online Counter
the Phone Counter

The maximum number for online challenges and phone challenges are configurable. The phone counter maximum is "per question."

For the following example, assume:

Max online = 3
Max phone (per question) = 3

If the user is answering challenge questions online, and if the user is given three attempts to provide a correct answer, a total of three attempts is allowed. Each failure increments the Online Counter. The user is locked out of the session after three attempts. The online only challenge is designed to limit the exposure of questions to fraudsters.

If the user is answering challenge questions over the phone, and if the user is given three attempts at answering each question, a total of nine attempts is allowed. Each failure increments the Phone Counter. The user is locked out of the session after nine attempts.

For the next challenge, the next question is displayed. A success for an online or a phone challenge automatically resets all counters to zero.

7.1.12 KBA Resets

Authenticator uses questions as additional credentials to help prevent fraud. A customer service representative (CSR) can reset these questions for the user when necessary. The CSR can reset KBA-related items for a user.

The Reset action resets all challenge failure counters:

Reset KBA: The customer must re-register KBA; KBA and OTP counters are reset to zero
CSR KBA reset: The customer must re-register KBA; KBA and OTP counters are reset to zero
Reset OTP: The customer must re-register OTP; KBA and OTP counters are reset to zero

7.1.12.1 Reset Challenge Questions

The CSR resets a user's challenge questions. The system deletes the existing questions and answers and generates a new question set for the user to register from. Registration of challenge questions is required at the next log in to the website.

7.1.12.2 Reset Challenge Questions and the Set of Questions to Choose From

The CSR resets the user's challenge question set (challenge questions and the set of questions to register from). Registration of challenge questions is required at the next log in to the website.

7.1.12.3 Increment User to the Next Question

The CSR resets the user's next question so the system advances the user to the next challenge question in the list of registered questions. So if the user is currently being asked question A, question B or C is now asked. A different challenge question is presented at the next log in to the website.

7.1.12.4 Unlock a User

When the CSR unlocks the user that has been locked out of the system because of failed challenge questions. Unlocking the user resets the user's failure counter.

The Unlock action unlocks the user account for both KBA and OTP:

Unlock KBA: KBA and OTP counters are reset to zero
Unlock OTP: KBA and OTP counters are reset to zero.

7.1.12.5 Ask Question (KBA Phone Challenge)

The CSR uses the user's challenge questions for phone authentication and enters user's response. If the user answers the question correctly, the question failure counter and increment question counter are reset. The system automatically takes appropriate action depending on the status such as unlocking the user. Information about phone and online failures is provided in Section 7.1.11, "Failure Counters." High level flows for the Ask Question action is presented in Chapter 4, "Managing and Supporting CSR Cases." The matrix in Section 7.1.11, "Failure Counters" contains detailed examples for individual flows.

7.1.13 Disable Question and Category Logic

This section describes the logic to handle disabled questions and categories.

Disabling Logic

The disabling logic is as follows for KBA:

If you disable the last remaining question in a category, the category is automatically disabled as well.
The number of active categories must be equal to or greater than the maximum number of categories in the question menu. An error message results when you try to disable a category and this requirement is not met.

Consequences

Table 7-1 summarizes the disable results.

Table 7-1 Disable Results in Question and Category Logic

Disable Question or Category	New customers	user with question in question set	users with question registered
Question	The disabled question is not used to generate new users' question sets.	At re-registration or when a user changes his preference: Disabled question are replaced with another question from the same category.	The disabled question continues to be active. If the user is re-registering or changing user preference, the disabled question is replaced with another question from the same category.
Category	The disabled category is not used to generate new users' question sets.	At re-registration or when a user changes his preference: All questions in the disabled category are replaced with questions from a new category that has not been used to generate current question set.	Questions from the disabled category continue to be active. If the user is re-registering or changing user preference, all questions in the disabled category are replaced with questions from a new category that has not been used to generate the current question set.

Disable Question or Category

New customers

user with question in question set

users with question registered

Question

The disabled question is not used to generate new users' question sets.

At re-registration or when a user changes his preference: Disabled question are replaced with another question from the same category.

The disabled question continues to be active.

If the user is re-registering or changing user preference, the disabled question is replaced with another question from the same category.

7.1.14 Locked Status

Locked is the status that OAAM Admin sets if the user fails the maximum number of challenges. A user is locked out of the session after the failure counter reaches the maximum number of failures. After the user is locked out, a Customer Service Representative must reset the status to Unlocked before the account can be used to enter the system.

7.2 Accessing Configurations in KBA Administration

This section describes how to navigate to KBA administration tasks in the OAAM Administration Console. You can navigate to KBA tasks through the Navigation tree. The KBA Infrastructure provides you with access to all questions, validations, categories, registration and Answer Logic, and other elements.

These are the subnodes under KBA, which provide access to the configurations in the KBA infrastructure:

Questions: For managing the tasks that impact challenge questions, such as creating new questions; activating, disabling, and editing questions; and importing questions that belong to a category not currently in the system.

Double-click Questions to open the Questions Search page.
Validations: For managing the validation for the answers given by a user at the time of registration, such as creating validations based on the available validation schemes in the system, editing existing validations, and importing and exporting validations.

Double-click Validations to open the Validations Search and Edit page.
Categories: For managing the question categories in the system.

Double-click Categories to open the Categories Search page.
Registration Logic: For managing the level of logic algorithm used for the registration for challenge questions and answers.

Double-click Registration Logic to open the Registration Logic configuration page.
Answer Logic: For managing the level of logic algorithm used for answer validation.

Double-click Answer Logic to open the Answer Logic configuration page.

For alternative methods to open search pages, refer to Section 3.5, "Using Search, Create, and Import." Validation Search and Edit, Registration Logic and Answer Logic pages can be opened in the same manner as the search pages.

Note that you cannot open the KBA node.

7.3 Setting Up KBA

Table 7-2 lists the tasks required to set up KBA with OAAM.

Table 7-2 Setting Up KBA

No.	Task	Information
1	Set KBA properties.	For information, refer to Section 7.3.1, "Setting KBA Properties."
2	Import OAAM snapshot.	For information, refer to Section 7.3.2, "Importing the OAAM Snapshot."
3	Link policies to user groups.	For information, refer to Section 7.3.3, "Linking Policies to User Groups."
4	Configure registration and challenge actions.	For information, refer to Section 7.3.4, "Configuring Registration and Challenge Actions."
5	Create new categories if the standard categories do not meet your needs.	For information, refer to Section 7.3.5, "Creating New Categories."
6	Create new questions if the standard questions do not meet your needs.	For information, refer to Section 7.3.6, "Creating New Questions."
7	Configure registration of challenge questions.	For information, refer to Section 7.3.7, "Configuring Registration of Challenge Questions."
8	Configure restriction of characters entered for answers.	For information, refer to Section 7.3.8, "Configuring Question Answers Validation."
9	Configure Answer Logic.	For information, refer to Section 7.3.9, "Configuring Answer Logic."

7.3.1 Setting KBA Properties

KBA properties for enabling KBA, controlling the listing of questions, and randomizing questions are listed in this section.

7.3.1.1 Enabling KBA

Ensure that the bharosa.kba.active property is set to true. See Chapter 25, "Using the Properties Editor" for information on modifying properties.

7.3.1.2 Controlling the Listing of Questions

You can control the listing of questions in the OAAM server. These are the default properties and their values:

challenge.question.registration.groups.minimum.questions.per.category.count=1
challenge.question.registration.groups.categories.count=5
challenge.question.registration.groups.questions.count=5
challenge.question.registration.groups.count=3
challenge.question.registration.groups.maxlimit=5

7.3.1.3 Randomizing KBA Questions

Set the oaam.kba.questions.randomorder property to true to present KBA questions in random order instead of sequentially. Randomization is performed Online only (OAAM Server) if the oaam.kba.questions.randomorder property is missing or is set to true. For the CSR Get Challenge Question flow, question access will always be sequential.

7.3.2 Importing the OAAM Snapshot

A full snapshot of policies, dependent components and configurations is shipped with Oracle Adaptive Access Manager. The snapshot is in the oaam_base_snapshot.zip file and located in the MW_HOME/IDM_ORACLE_HOME/oaam/init directory.

The challenge questions must be present in Oracle Adaptive Access Manager before the users can be asked to register. Challenge questions are included in the OAAM snapshot. For information on importing the snapshot which contains the questions, see Section 2.6, "Importing the OAAM Snapshot."

If you are need to use challenge questions in languages other than English, import the appropriate oaam_kba_questions_locale.zip files from the MW_HOME/IDM_ORACLE_HOME/oaam/kba_questions directory. The locale identifier locale specifies the language version.

7.3.3 Linking Policies to User Groups

Link policies that pertain to your business and security needs to a user group to which you want KBA to be enabled. For information on importing policies, see Chapter 11, "Managing Policies, Rules, and Conditions."

7.3.4 Configuring Registration and Challenge Actions

Configure appropriate actions for the rules in the policy. For information on configuring rules, see Chapter 11, "Managing Policies, Rules, and Conditions."

7.3.5 Creating New Categories

If the standard categories that questions can be grouped under do not meet your needs, create categories that can hold relevant questions you plan to create.

To create a category

Open the Categories Search page, as described in Section 7.2, "Accessing Configurations in KBA Administration."
From the Categories Search page, click the New Category button or the New icon.

Alternative methods to open create pages are listed in Section 3.5, "Using Search, Create, and Import."

The New Category page appears where you can enter details to create a category.
Type the new category in the Category field.
Enter a description.
Click Apply.

The Category Details page appears for the newly created category.

7.3.6 Creating New Questions

If the standard challenge questions do not meet your needs, create questions that are applicable to the users accessing your application.

To create a question

In the Navigation tree, double-click Questions under KBA. The Questions Search page is displayed.
From the Questions Search page, click the New Questions button.

The New Questions page appears where you can enter details to create a question.

Alternative methods to open create pages are listed in Section 3.5, "Using Search, Create, and Import."

When the New Question page first appears, the default value for the question status is Active.

Question, Category, Status, and Locale are required fields.
Pick a locale from the list of locales available.

By default, the Locale menu displays English and 26 other default locale languages.
Type the new question in the Question field.

The question names must be unique across categories.
From the Category list, select the category of question you want.

By default, there is no data in the Category list. You must import the challenge questions ZIP files (oaam_kba_questions_locale.zip) for data to appear in the Category menu. You can also create a new category.
In the Locale list, select the language you want.

By default, the Locale menu displays English and 26 other default locale languages.
Each question can be assigned unique validations to control the answers a user is allowed to register. To assign a local validation, select the validation type from the Registration Validation list.

The local validations you select in this step control the answers a user is allowed to register for this particular question. It does not control the registration of answers for all questions.

For information on the difference between global and local validations, refer to Section 7.3.8, "Configuring Question Answers Validation."
In the Answer Logic Hints list, select the type of Answer Logic Hint you want.

A hint can be added to questions individually to affect the Answer Logic used to evaluate given answers. This is performed to better tune the logic for the type of question. This is especially important for date related questions.

These hints help the Answer Logic function more successfully on some questions, for example, on date related questions. If a question has the date answer hint applied then the abbreviations, phonetics and fat fingering Answer Logic runs first, and then special date format logic is applied.
Click Apply. A confirmation dialog appears telling you that the question was created successfully.
Click OK to dismiss the dialog.

The Question Detail page appears for the newly created question.

After the question has been created, you can edit details.

Note:

The deployment administrator must ensure that there are enough questions in the database for each of the supported locale as configured in OAAM Admin during deployment; otherwise, OAAM Server displays only the English language questions during registration.

The number of locale-specific questions must be equal to or greater than the "Questions User Will Register" multiplied by the "Questions per Menu" multiplied by the "Categories per Menu."

7.3.7 Configuring Registration of Challenge Questions

The number of questions that appear on each menu, the number of categories per menu, and the number of questions that a user must register is configurable. The user is required to select one question from each menu and enter answers for them. Only one question from each question menu can be registered.

To configure the registration for challenge questions and answers:

In the Navigation tree, double-click Registration Logic under KBA. The Registration Logic page is displayed.
To enter or change the values for the question set generation, you can specify the following settings.
- Number of questions that a customer must register
- Number of questions that appear on each menu
- Number of categories per menu
  
  The categories per menu cannot be more than the number of categories available in the system.
Note:
Enter realistic numbers. For example, the number of questions that a user must register should be 3 to 7 questions
Click Apply.

A confirmation dialog is displayed with the message, "Registration Logic details updated successfully."
Click OK.

7.3.8 Configuring Question Answers Validation

Global validations are specified during the configuration of Registration Logic.

To add global validations (validations you want to apply to all questions):

In the Navigation tree, double-click Registration Logic under KBA. The Registration Logic page is displayed.
Click the Add button on the results header.

The Add Global Validation dialog appears.

Figure 7-2 Add Global Validation

Description of "Figure 7-2 Add Global Validation"
In the Add Global Validation dialog, search for the global validations you want to add.
Select the row corresponding to the validation you want to add.

You cannot select more than one validation to add at a time.
Click Add.

The selected validation is added.

7.3.9 Configuring Answer Logic

Answer Logic, a feature of KBA, increases the usability of security questions. Administrators can adjust how exact the challenge answers given by end users must match the answers they gave at the time of registration. If the answer given by a user is fundamentally correct but there are minor variations such as typos, misspellings and abbreviations they should pass. The increased usability of KBA reduces or eliminates the need for unnecessary call center involvement in moderate risk situations and self service flows.

Answer Logic (fuzzy logic) algorithms can be configured on the Answer Logic page. The algorithms are divided into three categories: Common Abbreviations, Fat Fingering (accidentally pressing the nearest neighbor on the keyboard), and Phonetics. The algorithms are available for both the online challenge and phone challenge processes.

The following algorithms are available and can be configured for your requirements:

Phonetics
Missing character(s)
Extra character(s)
Common misspellings
Common abbreviations
Common acronyms
Keyboard fat fingering
Common nicknames
Regional spelling differences
Date Format

The Answer Logic algorithms can be enabled or disabled and the intensity or strength of some algorithms (the level of Answer Logic used to evaluate answers given for challenge questions) can also be configured. For example, high risk transactions such as wire transfers may require a high degree of certainty (i.e. exact match) whereas accessing personal, non-sensitive information may require a lower degree of response certainty.

As standard, Answer Logic is only functional for English. Abbreviations can be globalized but creation of locale specific text equivalency files is required. For information, refer to Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager.

Example of How It Works

Question: Who was your favorite teacher in high school?

Registered answer: Mrs. Smith

Given answer: Misses Smuth

Logic level: If set to High, the answer is accepted.

Table 7-3 Answer Logic Algorithm Example

Algorithm	Description	Reason
Abbreviations	This algorithm handles common abbreviations, common nicknames, common acronyms, and date format. Looks at file for allowed matches.	If the file contains Mrs=Misses, the match can be made in either direction.
Phonetics	This algorithm handles Answers that "sound like" the registered answer, regional spelling differences, and common misspellings	Smiith sounds like Smith
Keyboard fat fingering	This algorithm handles Answers with typos due to the proximity of keys on a standard keyboard.	"u" is directly to the left of "i" so it is allowed

7.3.9.1 Common Response Errors

This section highlights the most common response errors and shows how Answer Logic algorithms are used for the system to intelligently detect the correct answers in the challenge response process. Examples of abbreviations, phonetics, and keyboard fat fingering are also provided.

7.3.9.1.1 Abbreviations

Common abbreviations, common nicknames, common acronyms, and date format are handled by this algorithm.

Common Abbreviations

This algorithm matches the words in the following pairs as equivalent. OAAM Admin has predefined list of word-pairs that cover common abbreviations, common nicknames and common acronyms.

Street - St.
Drive - Dr.
California - CA

The list can be customized by creating a new abbreviation file, custom_auth_abbreviation_config.properties. For information, refer to the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager.

Common Nicknames

Oracle has a predefined list of the most common nicknames that is used in the challenge response process.

Timothy - Tim
Matthew - Matt

Date Format

The questions that require date as the answer specify the format in which the user should enter the answer. The format is either YYYY or MMDD, but not both. However, from experience, users still use other formats during the challenge response process. The abbreviation logic for date format sees the following as the same:

0713
713
July 13th
July 13
July 13, 1970

7.3.9.1.2 Phonetics

Answers that "sound like" the registered answer, regional spelling differences, and common misspellings are handled by this algorithm. The phonetics algorithm is only supported in English.

Common Misspellings

Oracle's Phonetic Answer Logic algorithm accounts for misspellings.

ph - f
Correct word: elephant - Spelling mistake: elefant

7.3.9.1.3 Keyboard Fat Fingering

Oracle's Fat Fingering algorithm accounts for typos due to the proximity of keys on a standard keyboard and transposed letters. Answers with typos due to the proximity of keys on a standard keyboard are handled by this algorithm.

The number of fat fingering characters allowed depends on the length of the original word and the level set. The algorithm returns a percentage score associated with the characters that have an exact match. The intensity determines the minimum score required to match the answer with the registered answer.

Note:

The fat fingering algorithm is only supported in English.

Common Typos

Switching "w" and "e"
Switching "u" and "i"
Switching "t" and "r"

Examples of Fat Fingering

Correct word: signature - Fat finger: signatire

7.3.9.2 Level of Answer Logic

The level of Answer Logic, the intensity or strength of algorithms, used to evaluate answers given for challenge questions is adjustable. You can enable or disable each algorithm and you can also specify the following levels for the algorithms used:

Off – No Answer Logic is used; answers must exactly match those previously registered by the user.
Low – Less Answer Logic; answers provided by the user must be a match or near-match to the answers that were provided at the time of registration
Medium – More Answer Logic; the user is given some leeway for the answers that are provided. For example, St. might be accepted for Street.
High – Highest level of Answer Logic. The constraints are not strict for matching.

Each algorithm generates a score that represents how close the given answer is to the registered answer. OAAM Admin can be configured to accept different threshold score ranges for each algorithm individually. Separate threshold values for each algorithm (low/medium/high) are set in a properties file. The default thresholds are described as follows.

7.3.9.2.1 Abbreviation

For abbreviation:

Return values: 0 or 100 (no-match OR match)
Levels: ON or OFF
Logic
- If an abbreviation entry exists linking the given strings, score is 100
- Else score is 0

7.3.9.2.2 Fat Fingering

For fat fingering:

Return values: range 0 to 100
Levels: OFF, LOW (90+), MEDIUM (75+), HIGH (60+)
Logic
- If the string lengths do not match, score is 0
- If a position does not have the expected character or its neighbor, score is 0
- Else compute the number of positions that have the neighboring characters.
- Score = (StringLength – NeighborPositionCount) * 100 /StringLength

7.3.9.2.3 Phonetics

For phonetics:

Return values: 0, 60, 75, 90
Levels: OFF, LOW (90), MEDIUM (75), HIGH (60)
Logic
- Compute primary and alternative phonetic keys for the given strings, using DoubleMetaphone algorithm
- If primary keys of both strings match, score is HIGH
- Else if a primary key of one of the strings and alternate key of the other string match, score is MEDIUM
- Else if the alternate keys of both string match, score is LOW
- Else the score is 0

7.3.9.2.4 Multiple Word Answers

Answers that contain multiple words are treated in a specific way by the Answer Logic. If the final score from a complete string match does not meet the "success" criteria, individual words in the answer are evaluated. If each individual word in an answer is accepted by any of the algorithms the whole answer is accepted.

Multiple word answers with missing/extra words must be an exact match to the registered answer. Answers must have the same number of words as the registered answer to be evaluated with Answer Logic. For example: If the registered answer is "Mead Elementary School" and the answer given at the time of challenge is "Mesd Elem Sch":

Abbreviation: Mead–Mesd=0; Elementary-Elem=100; School-Sch=100
Fat-finger: Mead-Mesd=75; Elementary-Elem=0; School-Sch=0
Phonetics: Mead-Mesd=0; Elementary-Elem=0; School-Sch=0

Assuming that abbreviation was set to anything besides off and fat fingering was set to medium or high, since all three words would be accepted individually, the whole answer would be accepted.

7.3.9.3 Configuring Answer Validation

The KBA Answer Logic tab includes controls for the level of each Answer Logic algorithm used for answer validation. The higher the level the less exact answers need to be for acceptance.

To configure Answer Logic:

In the Navigation tree, double-click Answer Logic under KBA.

You can specify different settings for Online Challenge and CSR Phone Challenge.

Figure 7-3 Answer Logic

Description of "Figure 7-3 Answer Logic"
To change the level of Answer Logic used for keyboard fat fingering and phonetics, select Off, Low, Medium, or High: the lower the setting the higher degree of exactness required.

For information on logic levels, see Section 7.3.9.2, "Level of Answer Logic."
Click OK.

7.4 Managing Challenge Questions

The KBA functionality enables you to manage challenge questions.

You can perform the following task for challenge questions:

Searching for a Challenge Question
Viewing Question Details and Statistics
Creating a Question Like Another Question
Editing a Question
Importing Questions
Exporting Questions
Deleting a Question
Disabling a Question
Activating Questions

7.4.1 Searching for a Challenge Question

Use the Questions Search page to view a list of all challenge questions and search for a question based on various criteria. The Questions Search page provides access to the Questions Details page for any question. When the Questions Search page first appears, the Search Results table is displayed with default filter values.

To search for a question:

Open the Questions Search page, as described in Section 7.2, "Accessing Configurations in KBA Administration."

An example Questions Search page is shown in Figure 7-4.

Figure 7-4 Questions Search Page

Description of "Figure 7-4 Questions Search Page"

The Questions Search page displays a Search section and a Search Results table that shows a summary of the questions that match your search criteria.

Specify criteria in the Search Filter to locate the questions and click Search.

The search filter criteria are described in Table 7-4.

If you want to reset the search parameters to the default setting, use the Reset button.

Table 7-4 Question Search Criteria

Field	Description
Question Keyword	The keyword in the question.
Status	The status of the question: Active or disabled.
Category	The category to which the question belong. For example: education, pets, sports and so on.
Locale	The language the question is in. For example, English, Finnish, Czech, and so on.
Validations	Global validations. For example: Four-digit year (YYYY), Month Day (MMDD), and so on
Answer Logic Hints	A hint added to questions individually to affect the Answer Logic used to evaluate given answers. For example: Date Answer Hint.
Create Date	A timeframe within which the question was created
Update Time	A timeframe within which the question was modified.

The Search Results table displays a summary of questions that match the criteria specified. By default, questions are sorted on Question Name, but you can sort questions on Update Time, Create Date, Status, Question, and Category.

For additional details in the summary of questions, add columns by clicking View and then Columns from the toolbar above the Search Results table.

In the Search Results table, click the question link to view more details. The Question Details page appears.

Commands available from the Action menu are: Create Like, New Question, Open Selected, Open Category, Deselect Selected, Deactivate Selected, Select All, Deselect All, Export Selected, and Export Delete Script.

Table 7-5 Question Action menu commands

Command	Description
Create Like	Creates a new case that is similar— or "like"—an existing question.
New Question	Creates a new question. By default, the question is enabled on create. You can create a question for any locale.
Open Selected	Opens the selected question to the Questions details page.
Open Category	Opens the category for the question.
Delete Selected	Deletes questions. Deleted questions are not available for new registrations but users currently registered for these questions can continue to use them.
Deactivate Selected	Selected questions are disabled.
Select All	"Select All" helps select all the questions.
Deselect All	Deselect all helps deselect all questions.
Export Selected	Exports questions as .XML files
Export Delete Script	Export Delete Script exports a delete script for the questions you might want to delete in the future, and imports the delete script later to delete the questions if they are present.

7.4.2 Viewing Question Details and Statistics

The Question Details page provides information such as:

Question Sets with Question
Users Registered for Question
Percentage of Users Registered For Question
Percentage of Successful Challenges
Percentage of Unsuccessful Challenges
Question ID
Last Updated Date

To view question statistics:

Open the Questions Search page, as described in Section 7.2, "Accessing Configurations in KBA Administration."
From the Questions Search page, click the question of interest in the Search Results table

The Question Detail page appears with the statistics.

7.4.3 Creating a Question Like Another Question

To create a question that is similar to an existing question:

Open the Questions Search page, as described in Section 7.2, "Accessing Configurations in KBA Administration."
From the Questions Search page, select the row corresponding to the question of interest.
Click the Create Like icon.

The Create Like dialog appears with pre-populated data from the original question. Pre-populated fields are Category, Locale, Status, Answer Logic Hints, and Registration Validations. Question, Category, Status and Locale are required fields. The Create Like icon is disabled if multiple rows are selected.

You can create a question for any locale.
Type the new question in the Question field.
Edit any of the other fields if you want.
Click OK.

The Question Detail page appears for the newly created question.

If you click Cancel, the Questions Search page appears.

7.4.4 Editing a Question

The Question Details page enables you to activate/disable questions and edit the question, question category, locale, and registration and answer validation. Read-only question statistics are available in the Question Statistics section. If you edit a question, users using that question receive the updated question.

To edit a question

Open the Questions Search page, as described in Section 7.2, "Accessing Configurations in KBA Administration."
In the Questions Search page, search for the questions you are interested in.
Click the hyperlinked question you want to edit.

The Question Details page appears.
Make the changes you want.

You cannot edit the Question ID or last updated time.
Click Apply to save the changes or Revert to discard them.

If you click Revert, the edited details are reverted to the initial state.

7.4.5 Importing Questions

To import questions:

Open the Questions Search page, as described in Section 7.2, "Accessing Configurations in KBA Administration."
In the Questions Search page, click Import Questions or select Import Selected from the Actions menu.
In the Import Questions dialog, type the path and name of the file; or use the Browse (...) button to locate the ZIP file that contains the questions, and then select the file.
Click Open and then click Import.

If you import questions that belong to a category not currently in the system, the category is also imported. If you import a question with the same ID number as an existing question, the existing question is overwritten.

A confirmation dialog displays the status of the operation and a list of questions that were imported into the system.
Click Done.

7.4.6 Exporting Questions

Multiple questions can be selected and exported.

To export questions:

Open the Questions Search page, as described in Section 7.2, "Accessing Configurations in KBA Administration."
In the Questions Search page, search for the questions you are interested in.
Select the rows corresponding to the questions of interest.
Select the Export icon.
In the Export dialog, click the Export button.

The selected questions are exported.

7.4.7 Deleting a Question

To delete a question, follow these instructions.

Open the Questions Search page, as described in Section 7.2, "Accessing Configurations in KBA Administration."
In the Questions Search page, search for the questions you are interested in.
Select the rows corresponding to the questions of interest and click Delete or select Delete Selected from the Actions menu.

The Delete button and Delete Selected menu item are enabled only if a question is selected.

A Confirm Delete dialog is displayed with a list of questions and question IDs.
Click Delete to delete the questions.

Deleted questions are not available for new registrations but users currently registered for these questions can continue to use them.

A confirmation dialog is displayed.
In the confirmation dialog, click OK.

An error is displayed when you try to delete a question that is in used by a registered user.

When a user tries to delete multiple questions and if a few questions are associated with the user, the system bypasses the associated questions and deletes the rest and displays a message to user that the following list was not deleted. Deleted questions are not available for new registrations but the user currently registered for these questions can continue to use them.

7.4.8 Disabling a Question

To disable a question

Open the Questions Search page, as described in Section 7.2, "Accessing Configurations in KBA Administration."
In the Questions Search page, search for the question you want to disable.
Select the rows corresponding to the questions you want to disable.
Press the Deactivate button or select Deactivate from the Actions menu.

The selected questions are disabled.

Alternatively, you can disable a question by clicking the hyperlinked question on the Questions Search page, and then selecting Disable in the Status field on the Questions Details page.

The following scenarios occur when a question is disabled:

The disabled question cannot be used to generate a new user's Question Set.
At re-registration or reset, the disabled question is replaced with another question from the same category for those users who had the disabled question in their question set.
The disable question remains active for users who have registered the question. If the user is re-registering or changing user preference, the disabled question is replaced with another question from the same category.

7.4.9 Activating Questions

To activate questions:

Open the Questions Search page, as described in Section 7.2, "Accessing Configurations in KBA Administration."
In the Questions Search page, search for the questions you are interested in.
Select the rows corresponding to the questions you want to activate.
Press the Activate button or select Activate from the Actions menu.

The selected questions are activated.

7.4.10 Deleting or Deactivating Challenge Questions (Migration)

If you are migrating to 11.1.2.0.0 and you have been using the KBA questions from previous releases, then you must delete or deactivate the questions listed in this section if they are active.

Children Category