Configure the Security Question authenticator

The Security Question authenticator prompts end users to enter a correct response to a question that they've selected from a list of possible questions.

The Security Question authenticator:

  • Supports authentication (MFA/SSO) and user password recovery scenarios. If disabled for MFA/SSO, it will not be included as part ofGlobal Session Policy evaluation.

  • Can be used for MFA/SSO only if the primary factor in the user's Global Session Policy is A password. Okta recommends against using security questions in any authentication flow.

You can configure Okta to use this authenticator for just account recovery, or for both authentication and account recovery. If you choose only the recovery option, Okta doesn't request authentication during the evaluation of your Global Session Policy.

For example, if you want to enable Okta FastPass for your users, that is, allow users to access the resource without proving that they're physically present, you will not be able to use a security question as an additional authenticator. See Add an authentication policy rule.

Add Security Question as an authenticator

  1. In the Admin Console, go to Security >Authenticators.
  2. On the Setup tab, click Add Authenticator.
  3. Click Add on the Security Question tile.
  4. Select the scenarios when end users can use Security Question authenticator:
    • Authentication and recovery
    • Recovery
  5. Click Add.

Disable the Security Question authenticator

You can disable authenticators if they're not used in an MFA Enroll policy or a self-service password reset policy. In the Security Question row on the Authenticators Setup page, click ActionsDelete.

End-user experience

The first time users sign in to your apps after you configure this factor, they see the Extra verification is required for your account page and must perform the following steps:

  1. Select Setup.
  2. Create or choose a security question, enter an answer, and then click Save.

The next time your users sign in, they are prompted to answer their security question.

Related topics

Add an authentication policy rule

Configure the Email authenticator

Configure the Password authenticator

Configure the Phone authenticator

Configure a FIDO2 (WebAuthn) authenticator