Product Documentation

Requiring Identity Verification

May 09, 2015
Depending on user configuration settings, you might require users to verify their identities when the following events occur:
  • Users change their authentication types; for example, a user might switch between smart card and password authentication (you can create a user configuration that requires initial verification only when switching between authentication types)
  • An administrator changes a user’s primary password
  • Users reset their primary password using Account Self-Service
  • Users unlock their domain account using Account Self-Service
  • Users change their primary password on a device that does not have the plug-in software installed and then log on to a device where the plug-in software is installed

Single Sign-on can be configured to verify the user's identity to ensure that the user is authorized to use Single Sign-on. You can select one of two identity verification methods:

Method Description
Previous Password In this case, users verify their identities by entering their previous primary password.
Security questions (also known as question-based authentication)

In this case, you create a questionnaire that contains as many questions and question groups as you want to make available to users. You can use the default questions Single Sign-on provides or create your own.

Caution: When previous password is the only identity verification method available to your users, users who forget their previous primary password are locked out. An administrator must then use the Single Sign-on component task Reset User Data to enable the users to reenroll. An administrator might also need to reset the passwords in the user’s applications.

Verifying User Identity by Using Security Questions (Question-Based Authentication)

Single Sign-on enables you to use question-based authentication to verify user identity. Single Sign-on includes four questions (in English, French, German, Japanese, Simplified Chinese, and Spanish) that you can use for this purpose.

You can use question-based authentication:
  • As part of a user’s Security Question Registration during the first-time plug-in software enrollment
  • After enrollment, if you configured Account Self-Service to allow users to change their primary credentials or unlock their accounts

When users change their primary passwords, you can confirm your users’ identities by prompting them to answer security questions in the form of a questionnaire you create. This questionnaire appears the first time your users launch the plug-in software. Users answer the required number of security questions and can be prompted to reenter this information at specific password change events.

To allow users to reregister answers to their security questions without being prompted, give them access to QBAEnroll.exe as a published application.

If you choose not to set up security questions, users are prompted for their previous primary password when they first log on and when they change their primary password. You can also allow users to choose the method they prefer to use when authenticating (previous passwords or security questions).

Recovering or Unlocking User Credentials Automatically

Important: Automatic key management is not as secure as other key recovery mechanisms such as security questions and previous password.

You can configure Single Sign-on to bypass identity verification and retrieve user credentials (that is, encryption keys associated with the user data) automatically by installing the Single Sign-on Service and using the Key Management Module.

The basic workflow to use automatic key management is as follows:
  1. Install the Citrix Single Sign-on Service with the Key Management Module.
  2. Create or edit user configurations and select the key recovery method that allows automatic key management without identity verification. This option is available as part of the Secondary Data Protection property in the user configuration.