Single Sign-on provides four default questions that you can use to manage user registration. These questions are available in all supported languages (English, French, German, Japanese, Simplified Chinese, and Spanish). Citrix recommends you create your own security questions and make them available in each of the languages your environment must support.
Someone trying to gain access to a user password needs to know the answers to all the questions the user originally answered. Consider that requiring users to answer too many questions might make it too difficult for your users to confirm their identity.
Security questions should request non-public information that would be difficult for anyone other than the valid user to provide (for example, difficult for brute force guessing or dictionary-based attacks). The key factor in determining the security of questions is the degree of difficulty involved when someone attempts to guess the answer.
A good questions is one that has high entropy; that is, a question for which:
- The number of unique answers possible is very high
- The probability of guessing any one specific answer is very low
For usability purposes, the question should be easy for a user to remember but difficult for an adversary to determine. For example:
- What is the name of your favorite college professor or high school teacher?
- Where would you go for your ultimate dream vacation? (city, country)
- What is the title of your favorite song and who is the artist?
- What is the title of your favorite book and who is its author?
- What is the name of your favorite work of art, who is the artist, and where did you see it?
However, in these examples, cultural bias could make it more likely for users in the same population to have identical answers to these questions, even if they do not deliberately share the answers. This bias potentially increases the risk of an insider attack.
Avoid creating questions that:
- Return simple answers, such as “What is your favorite color?”
- Request information likely to be known, or change, such as “What is your address?”