CA Strong Authentication Administration Guide › Managing Global CA AuthMinder Configurations › Configuring Profiles and Policies › Configure QnA Settings › Configure QnA Authentication Policy

Configure QnA Authentication Policy

A QnA policy can be used to specify the following attributes related to a QnA-based authentication:

• User status: The status of the user, which can be active or inactive.

  Note: If the user status check is enabled, then the authentication for users in inactive state results in failure.

• Number of questions:
  • CA AuthMinder must ask the users during authentication process.
  • For which correct answers are required during authentication.
• Caller Verification: The answers are verified by a third party and the result is then sent to CA AuthMinder Server.
• Lockout criteria: The number of failed attempts after which the user’s credential is locked out.
• Unlocking criteria: The number of hours after which a locked QnA credential can be used to log in again.
• Question Selection Mode: The questions are selected either randomly or alternately, which means a new set of questions is asked based on the Change Question Set option.
• Change Question Set: The questions are changed either after every attempt or after successful authentication.

Follow these steps:

1. Click the Services and Server Configurations tab on the main menu.
2. Ensure that the CA Strong Authentication tab in the submenu is active.
3. Under the QnA section, click the Authentication link to display the QnA Authentication Policy page.
4. Edit the fields in the Policy Configuration section, as required.
   • Policy Configuration:

   Create

   If you choose to create a new policy, then:

   • Select the Create option.
   • Specify the Configuration Name of the new policy in the field that appears.

   Update

   If you choose to update an existing policy, then select the policy that you want to update from the Select Configuration list that appears.

   Copy Configuration

   Enable this option if you want to create the policy by copying the configurations from an existing policy.

   Note: You can also copy from configurations that belong to other organizations that you have scope on.

   Available Configurations

   Select the policy from which the configurations will be copied.

   Number of Questions to Challenge

   Set the number of questions that users will be prompted to answer during authentication.

   Number of Correct Answers Required

   Specify the number of correct answers that users must provide to authenticate successfully.

   For example, if you set 3 here and set 5 in the Number of Questions to Challenge field, then users must answer at least three questions correctly out of the five they will be prompted to answer.

   Enable Caller Verification

   If you enable this option, then during authentication the answers are collected and verified by a Customer Support Representative (CSR) or a similar facility, and the verification result is sent to the CA AuthMinder Server.

   Lockout Credential After

   Specify the number of failed attempts after which the user credential will be locked.

   Check User Status Before Authentication

   Select this option if you want to verify whether the user status is active, before authenticating them.

5. Expand the Advanced Configurations section by clicking the [+] sign.
6. Edit the fields in the section, as required.
   • Advanced Configurations:

   Issue Warning

   Specify the number of days before the warning is sent to the calling application about the user’s impending credential expiration.

   Allow Successful Authentication

   Specify the number of days for which the users can use an expired credential to successfully log in.

   Enable Automatic Credential Unlock

   Select this option if you want the locked credential to be automatically unlocked after the time you specify in the following field.

   This field is valid only if you specify the corresponding value in the Lockout Credential After field.

   Note: The credential does not get automatically unlocked after the unlock period. The credential has to be used for successful authentication after the unlock period to get it unlocked.

   Unlock After

   Specify the number of hours after which a locked credential can be used again for authentication.

   Question Selection Mode

   Specify how the questions are selected for the challenge. The supported values are:

   • Random - The questions are selected randomly from the configured set.
   • Alternate - A new set of questions is selected from the configured set, which means the questions that were asked in the last authentication prompt are skipped.

   Change Question Set

   Specify when the CA AuthMinder Server must select a new set of questions to challenge. The supported options are:

   • Only on Successful Authentication - A new set of questions that are based on the Question Selection Mode is selected after the user authenticates successfully.
   • For Every Attempt - A new set of questions that are based on the Question Selection Mode is selected after every authentication attempt, irrespective of the authentication result.

   Challenge Validity (in Seconds)

   Specify the duration for which the QnA challenge has to be valid.

   • Multiple Credential Options:

   Usage Type for Verification

   If you want the users to authenticate with the particular QnA credential, then enter the name of its usage type in this field.

   If you do not specify the usage type, then the usage type mentioned in the default QnA authentication policy is used.

7. Click Save.
8. Refresh all deployed CA AuthMinder Server instances. See Refresh a Server Instance for instructions about the procedure.