Configure the security question authenticator

The security question authenticator prompts end users to enter a correct response to a question that they've selected from a list of possible questions.

This authenticator supports multifactor authentication (MFA), single sign-on (SSO), and recovery scenarios. If this authenticator is disabled for MFA or SSO, the global session policy doesn't evaluate it. You can use this authenticator for MFA and SSO only if the primary authenticator in the global session policy is a password. Okta recommends against using security questions in any authentication flow.

You can use this authenticator for just account recovery, or for both authentication and account recovery. If you choose only the recovery option, Okta doesn't request authentication during the evaluation of your global session policy.

You can't use this authenticator as an additional authenticator if you've enabled Okta FastPass in your org.

This authenticator is a knowledge factor and fulfills the requirements for user presence. See Multifactor authentication.

Add the security question authenticator

  1. In the Admin Console, go to SecurityAuthenticators.

  2. On the Setup tab, click Add Authenticator.

  3. Click Add on the authenticator tile.

Configuration options

  1. Configure the following options:

    Field

    Value

    Authentication and recovery Use this authenticator for both authentication and recovery scenarios.
    Recovery Use this authenticator only for recovery scenarios.
  2. Click Add. The authenticator appears in the list on the Setup tab.

Add the security question authenticator to the authenticator enrollment policy

  1. In the Admin Console, go to SecurityAuthenticators.

  2. Click the Enrollment tab.
  3. Add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.

Edit or delete the security question authenticator

Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.

  1. In Authenticators, go to the Setup tab.
  2. Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.

End-user experience

Users see the Extra verification is required for your account page and must perform the following steps when they sign in after you enable this authenticator:

  1. Select Setup.
  2. Create or choose a security question, enter an answer, and then click Save.

The next time your users sign in, they're prompted to answer their security question.

Additional prompts

Users may be prompted for the security question in a few other scenarios:

  • If your org doesn't use MFA, all authenticators are treated as optional. Users may be prompted to set up the security question during account setup, but they can dismiss the prompt and won't be asked again.

  • If you enabled the security question for recovery but don't allow it for additional verification in the password policy, users may be prompted for it when they sign in.

Related topics

Global session policies

Authentication policies

Authenticator enrollment policy