AD Security Questions

Enabling this technique enables you to set up AD-based security questions as the MFA criteria, and verify answers from the attribute value available in AD.

For example, assume that you have set ‘What is your social security number?’as an AD-based security question, and linked a custom based attribute of the user as the answer. Now when a user attempts a password reset, they are required to enter the correct answer (i.e., user's social security number). If the answer entered by the user matches the value of the original AD attribute (i.e., the value of the custom attribute), the user is successfully authenticated.

As this MFA technique utilizes the users' AD attributes, they need not enroll with ADSelfService Plus separately. This is a definite plus for admins who will be free from the burden of ensuring that every user has completed the enrollment process.

Make sure that the AD attributes mapped to the security questions are not readable through a LDAP browser or other tools.

Steps for enabling AD Security Questions:

  1. Log in to the ADSelfService Plus web console with admin credentials.
  2. Navigate to Configuration tab → Multi-factor AuthenticationAuthenticators Setup.
  3. From the Choose the Policy drop-down, select a policy.

    Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

  4. Click AD Security Questions section.
  5. Enable AD Security Questions

  6. Click the Add Question button to add a new question. 
  7. Assign a value to the AD security question by selecting an attribute from the Verify With drop-down.
  8. Click Save.

Important:

  • Click the asterisk symbol [*] to make the AD security question mandatory.
  • When AD Security Questions method of authentication is enabled, the users need not enroll separately with ADSelfService Plus.
  • If you’ve mapped a multi-valued attribute (say, otherMobile) to a security question, any value of that attribute is considered as a valid answer.

Copyright © 2023, ZOHO Corp. All Rights Reserved.