Configure QnA Settings
This page instructs you in the configuration of CA Strong Authentication for a QnA Issuance Profile and Authentication Policy.
aa813test
This page instructs you in the configuration of CA Strong Authentication for a QnA Issuance Profile and Authentication Policy.
2
Configure a QnA Issuance Profile
You can use a QnA profile to specify the following attributes that are related to a QnA credential:
- Number of questions:
- Minimum number of questions and answers the user must set during issuance.
- Maximum number of questions and answers the user can set during issuance
- Validity period:The period for which a QnA credential is valid.
- Case-sensitive Answers:Decide whether the answers entered by the users must be case-sensitive or not.
- Question Bank:The users use these preconfigured questions in the question bank for setting up their QnA credential.
By configuring a QnA profile and assigning it to one or more organizations, you can control the characteristics of QnA credentials that are issued to users of those organizations. Use the Questions and Answers Profiles page for creating QnA credential profiles.
Follow these steps:
- Click theServices and Server Configurationstab on the main menu.
- Ensure that the CA Strong Authentication tab in the submenu is active.
- Under the QnA section, click the Issuance link to display the Questions and Answers Profiles page.
- Edit the fields in the Profile Configurations section, as required.
- Profile Configurations:
CreateTo create a profile:- Select the Create option.
- Specify the Configuration Name of the new profile in the field that appears.
UpdateTo update an existing profile, select the profile to update from the Select Configuration list that appears.Copy ConfigurationEnable this option if you want to create the profile by copying the configurations from an existing profile.Note:You can also copy from configurations that belong to other organizations that you have scope on. - Available ConfigurationsSelect the profile from which the configurations are copied.
Minimum Questions and Answers
- Specify the minimum number of questions and answers that users have to set.
- For example: If you set 3 here and 5 in the Maximum Questions and Answers field, then the users are prompted for at least three questions out of the five they set.
Maximum Questions and Answers
Specify the maximum number of questions and answers that users can set.
Answers Case-Sensitive
Specify whether the answers that the users specify must match the case that they used to set the QnA.
Validity Start Date
Set the date from which the issued QnA credential is valid. The validity can start from either the date when the QnA is created or you can specify a specific date.
Validity End Date
Set the date when the QnA credential expires. You can either specify the duration for the credential expiration or you can specify a specific date.
- Expand theAdvanced Configurationssection by clicking the[+]sign.
- In theCustom Attributessection, specify any extra information in theName-Valuepair format. For example, the organization information that plug-ins can used.
- Set the following values in theUser Validationssection:
- Select theUser Activeoption if you want to verify the user status for the following operations involving the current credential:
- Create credential
- Reissue credential
- Reset credential
- Reset validity of the credential
- Select theUser Attributeoption if you want to verify whether the user attribute matches certain values. You can set the value for the following user attributes:
- Date when the user was created
- Date when the user details were modified
- Email address
- First name
- Middle name
- Last name
- User status
- Telephone number
- Unique user identifier
The User attribute check feature is availableonlyif you are performing configurations at the organization level.
- Set the following values in the Question Bank for QnA Issuance section:
- In the Question Return Mode, specify how the questions must be selected for the users to set their answers. The supported modes are:
- Static - A fixed set of questions is selected from the configured set and presented to the users.
- Random - The questions are selected randomly from the configured set and presented to the users.
- In the Questions Bank table, enter the questions to configure at the global level. You can overwrite these questions at the organization level.
- In the Multiple Credential Options section, enter a description in the Usage Type field to identify the purpose of the QnA. For example: A user gets a temporary credential to perform a remote login to the network. The usage type for this credential can betemporary.
- Click Save to create or update the QnA profile.
- Refreshalldeployed CA Strong Authentication Server instances.
Configure QnA Authentication Policy
A QnA policy can be used to specify the following attributes that are related to a QnA-based authentication:
- User status: The status of the user, which can be active or inactive.If the user status check is enabled, then the authentication for users in inactive state results in failure.
- Number of questions:
- CA Strong Authentication must ask the users during authentication process.
- For which correct answers are required during authentication.
- Caller Verification: A third party verifies the answers. The result is then sent to the CA Strong Authentication Server.
- Lockout criteria: The number of failed attempts after which the user credential is locked out.
- Unlocking criteria:The number of hours after which a locked QnA credential can be used to log in again.
- Question Selection Mode: The questions are selected either randomly or alternately, which means a new set of questions is asked based on theChange Question Setoption.
- Change Question Set: The questions are changed either after every attempt or after successful authentication.
Follow these steps:
- Click the Services and Server Configurations tab on the main menu.
- Ensure that the CA Strong Authentication tab in the submenu is active.
- Under the QnA section, click the Authentication link to display the QnA Authentication Policy page.
- Edit the fields in the Policy Configuration section, as required.
- Policy Configuration:
- CreateTo create a new policy:
- Select the Create option.
- Specify the Configuration Name of the new policy in the field that appears.
- UpdateTo update an existing policy, select the policy that you want to update from the Select Configuration list that appears.
- Copy ConfigurationEnable this option if you want to create the policy by copying the configurations from an existing policy.Note:You can also copy from configurations that belong to other organizations that you have scope on.
- Available ConfigurationsSelect the policy from which the configurations are copied.
- Number of Questions to ChallengeSet the number of questions that users are prompted to answer during authentication.
- Number of Correct Answers RequiredSpecify the number of correct answers that users must provide to authenticate successfully.For example: Set 3 here and set 5 as the Number of Questions to Challenge. Users must answer at least three questions correctly out of the five they are prompted to answer.
- Enable Caller VerificationIf you enable this option, the answers are collected and verified by a Customer Support Representative (CSR) or a similar facility during authentication. The verification result is sent to the CA Strong Authentication Server.
- Lockout Credential AfterSpecify the number of failed attempts after which the user credential is locked.
- Check User Status Before AuthenticationSelect this option if you want to verify whether the user status is active, before authenticating them.
- Expand theAdvanced Configurationssection by clicking the[+]sign.
- Edit the fields in the section, as required.
- Advanced Configurations:
- Issue WarningSpecify the number of days before the warning is sent to the calling application about the user impending credential expiration.
- Allow Successful AuthenticationSpecify the number of days for which the users can use an expired credential to log in successfully.
- Enable Automatic Credential UnlockSelect this option for the locked credential to be automatically unlocked after the time you specify in the following field.This field is valid only if you specify the corresponding value in the Lockout Credential After field.
- Unlock AfterSpecify the number of hours after which a locked credential can be used again for authentication.
- Question Selection ModeSpecify how the questions are selected for the challenge. The supported values are:
- Random: The questions are selected randomly from the configured set.
- Alternate: A new set of questions is selected from the configured set. The questions that were asked in the last authentication prompt are skipped.
- Change Question SetSpecify when the CA Strong Authentication Server must select a new set of questions to challenge. The supported options are:
- Only on Successful Authentication: A new set of questions that are based on the Question Selection Mode is selected after the user authenticates successfully.
- For Every Attempt: A new set of questions that are based on the Question Selection Mode is selected after every authentication attempt, regardless of the authentication result.
- Challenge Validity (in Seconds)Specify the duration for which the QnA challenge has to be valid.
- Multiple Credential Options:
- Usage Type for VerificationFor users to authenticate with a particular QnA credential, enter the name of its usage type in this field.If you do not specify a usage type, the default QnA authentication policy usage type is used.
- Click Save.
- Refreshalldeployed CA Strong Authentication Server instances.