Enable and configure Security Questions

This topic describes how to enable and set requirements for the Security Question authentication mechanism.

If you select Security Question(s) as an authentication mechanism for users, you must enable the feature for users and the end-users must provide answers to the questions.

Enable Security Questions

The following procedure describes how to enable and configure Security Questions.

To enable the Security Question challenge

  1. Log in to the CyberArk Identity Admin Portal.
  2. Click Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.
  3. Click User Security Policies > User Account Settings.
  4. Select Yes in the Enable users to configure security questions drop-down list.

    Leaving the default selection (--) is equivalent to requiring users to specify one user-defined question and answer.

    Selecting No means users will not see the option in the User Portal to answer admin-defined questions or specify/answer user-defined questions.

  5. Enter values for the related options.

    If the total number of user-defined and admin-defined questions you specify here is greater than the number of questions users must answer, then CyberArk Identity randomly selects questions from the pool of questions containing answers. We will not select questions for which users have not provided answers.

    • Require users to configure Security Questions on login: Users can configure security questions.
    • Allow duplicate security question answers: Users can enter duplicate answers to different questions if you enable this policy.
    • Required number of user-defined questions: Users can enter the questions and answers in User Portal.
    • Required number of admin-defined questions: Users can select from a list of pre-defined questions and provide answers for them in User Portal. See Write admin-defined security questions.
    • Minimum number of characters required in answers.
    • Authentication profile required to set security questions: (Optional) Specify additional authentication challenges (by selecting an authentication profile) users must provide before they can enter/answer user-defined security questions or select/answer admin-defined questions.
  6. Click Save.

Write admin-defined security questions

You can write the admin-defined questions from which users can select, provide answers for, and use for authenticating to CyberArk Identity.

To write the admin-defined security questions

  1. Log in to the Admin Portal.
  2. Click Settings > Authentication > Security Questions > Add button.
  3. Enter the question you want made available to users.

    You can only enter one question at time.

  4. Click OK.