Affected Versions: All
Description: You have configured a realm to use Knowledge Based Questions and Answers as a 2nd factor option, but it is not showing up as an option during the authentication process
Cause & Resolution:
Verify in the directory store if attribute that you have selected to store the KBQ/KBAs has data in it
The values are stored in the attribute in either encoded or encrypted format. If the attribute is blank, then the user who is exhibiting this problem has not filled out their KBQ/KBAs information. To do so, users can use a the Self Service page to fill out the information. If you do not have a self service page, please follow the following article to configure one: https://docs.secureauth.com/x/IwpjAg
If the the attribute contains a value, but it is still not showing up as a selectable option, it is likely that the SecureAuth application can not decrypt the data that is stored in that field and hence unable to read it.
The certificate SecureAuth uses to encrypt attribute data is the certificate selected in the License Info section located on the System Info tab of the WebAdmin console.
This certificate will need to be selected on every realm using KBQs/KBAs as a second factor, so that it can properly decrypt the data.
SecureAuth uses the License Info Certificate to perform all directory-store attribute Encryption and Decryption. This applies to other features like Device Browser Fingerprinting and OATH OTP (Seed or Token). If using those other features, please ensure that the same certificate is selected on every realm.
If you have multiple SecureAuth Appliances that are synching configurations, make sure that the Certificate is installed on all of the SecureAuth servers with Network-Service Read permissions fort he private key.
Please sign in to leave a comment.