Configure the Security Question authenticator
The Security Question authenticator prompts end users to enter a correct response to a question that they've selected from a list of possible questions.
The Security Question authenticator:
-
Supports multifactor authentication (MFA), single sign-on (SSO), and password recovery scenarios. If this authenticator is disabled for MFA or SSO, the Global Session Policy doesn't evaluate it.
-
Can be used for MFA and SSO only if the primary factor in the user's Global Session Policy is A password. Okta recommends against using security questions in any authentication flow.
You can configure Okta to use this authenticator for just account recovery, or for both authentication and account recovery. If you choose only the recovery option, Okta doesn't request authentication during the evaluation of your Global Session Policy.
If you want to enable Okta FastPass for your users, that is, allow users to access a resource without proving that they're physically present, you can't use Security Question as an additional authenticator. See Add an authentication policy rule.
Add Security Question as an authenticator
- In the Admin Console, go to .
- On the Setup tab, click Add Authenticator.
- Click Add on the Security Question tile.
- Select the scenarios when end users can use Security Question authenticator:
- Authentication and recovery
- Recovery
-
Click Add.
Disable the Security Question authenticator
You can disable authenticators if they're not used in an authenticator enrollment policy or a self-service password reset policy. In the Security Question row on the Authenticators page, click Actions > Delete.
End-user experience
Users see the Extra verification is required for your account page and must perform the following steps when they sign in after you enable this authenticator:
- Select Setup.
- Create or choose a security question, enter an answer, and then click Save.
The next time your users sign in, they're prompted to answer their security question.