Product Documentation

Managing Question-Based Authentication

May 09, 2015

Question-based authentication allows you to provide secure authentication to users who change their primary password under specific circumstances, change their method of authentication, or have their accounts locked.

The use of security questions and question-based authentication can help protect against access by unauthorized users by requesting information known only to your individual users. The questions you create must request non-public information that would be difficult for anyone other than the authorized users to provide or find (for example, difficult for brute force guessing, dictionary based attacks, and so on).

Important: If you plan to use the password reset or domain account unlock self-service features available from the Single Sign-on Key Management Module, you must use the question-based authentication method to allow your users to confirm their identity when resetting their primary passwords or unlocking their domain accounts.

Confirming User Identity Using Question-Based Authentication

If you are implementing the password reset or domain account unlock self-service features available from the Single Sign-on Key Management Module, use question-based authentication for user identity verification. You can also choose question-based authentication as a form of secondary data protection if a user’s primary authentication changes.

Depending on the user configuration settings in the console, users might be required to verify their identities when the following events occur:
  • Users change their authentication types; for example, a user might switch between smart card and password authentication.
  • An administrator changes a user’s primary password
  • Users reset their primary password using Account Self-Service
  • Users unlock their domain account using Account Self-Service
  • Users change their primary password on a device that does not have the plug-in software installed and then log on to a device where the plug-in software is installed
Note: You can also create a user configuration that does not require subsequent verification when switching among authentication types; see If Users Switch among Multiple Primary Authentication Methods.

If configured, the Single Sign-on Plug-in software prompts users to answer the security questions during first-time use. When one of these events occurs that requires users to verify their identity, the plug-in software launches the questionnaire you created for them. A questionnaire is a preconfigured list of questions you create.

Each question in the questionnaire appears on a separate page. For example, if five questions are in your questionnaire, users will see five separate pages—one for each question. Users must answer every question correctly. Depending on administrator settings, answers must be an exact match, including case and punctuation, to the answers users gave when Single Sign-on was launched for the first time.

The correct combination of questions and answers confirms the user’s identity. After a user is confirmed, the plug-in software encrypts the keys again using the new primary password and stores the user’s secondary credentials.


  • If you choose not to configure answers to security questions as required for your users, users are prompted for their previous primary password when they change their primary password and attempt to log on with their new password. You can allow users to choose the identity verification method they prefer to use when authenticating. This option is available as part of the Secondary Data Protection property in the user configuration.
  • To prevent user lockout, do not combine the Account Self-Service password reset feature with the Prompt user to enter the previous password option. Users who reset their password are unlikely to recall their previous primary password and cannot retrieve their secondary credentials.
  • Multiple questions provide the best data protection.
  • By default, Question-Based Authentication is populated with four security questions. While you can use these four questions exclusively, consider adding your own security questions and question groups.
Important: Depending on administrator settings, alphabet case usage, punctuation, and spaces are included in the user’s answer and must match exactly when the user is asked to answer the selected security questions at a later date.

Question-Based Authentication Workflow

Create and make available your security questions before deploying the plug-in software. After a user selects a question, that question must always be available. If you change or remove a question that is in use, those users cannot use the security questions to recover their secondary credentials until and unless you force them to re-enroll.

  1. Create your security questions, defining the minimum length and case sensitivity. These questions can be made available in the languages Single Sign-on supports.
  2. Optionally, group these questions in security question groups. You can create a number of questions for your users to choose from, giving them flexibility to choose a question to which they are more likely to recall an answer. This allows you to define the number of questions from each group that users are required to answer.
  3. Add your questions, or questions and question groups, to your questionnaire.
  4. Select one or two questions to be used for key recovery. These questions are used to encrypt the data for key recovery; your users will still be required to provide answers for questions they answered at enrollment.
  5. Optionally, enable security questions answer masking. This feature provides you the option to mask user answers to question-based authentication security questions. If enabled, users’ answers are protected during answer registration and identity verification.

    Security question answer masking is available on console and plug-in software running Password Manager 4.6 and 4.6 with Service Pack 1 and Single Sign-on 4.8 and 5.0.

Designing Security Questions: Security Versus Usability

Single Sign-on provides four default questions that you can use to manage user registration. These questions are available in all supported languages (English, French, German, Japanese, Simplified Chinese, and Spanish). Citrix recommends you create your own security questions and make them available in each of the languages your environment must support.

Someone trying to gain access to a user password needs to know the answers to all the questions the user originally answered. Consider that requiring users to answer too many questions might make it too difficult for your users to confirm their identity.

Security questions should request non-public information that would be difficult for anyone other than the valid user to provide (for example, difficult for brute force guessing or dictionary-based attacks). The key factor in determining the security of questions is the degree of difficulty involved when someone attempts to guess the answer.

A good questions is one that has high entropy; that is, a question for which:

  • The number of unique answers possible is very high
  • The probability of guessing any one specific answer is very low

For usability purposes, the question should be easy for a user to remember but difficult for an adversary to determine. For example:

  • What is the name of your favorite college professor or high school teacher?
  • Where would you go for your ultimate dream vacation? (city, country)
  • What is the title of your favorite song and who is the artist?
  • What is the title of your favorite book and who is its author?
  • What is the name of your favorite work of art, who is the artist, and where did you see it?

However, in these examples, cultural bias could make it more likely for users in the same population to have identical answers to these questions, even if they do not deliberately share the answers. This bias potentially increases the risk of an insider attack.

Avoid creating questions that:

  • Return simple answers, such as “What is your favorite color?”
  • Request information likely to be known, or change, such as “What is your address?”

Allowing Users to Change Answers to Their Security Questions

Single Sign-on allows your users to change answers to their security questions at any time without intervention of an administrator.

If your environment includes security questions or account self-service features, users who register security questions and answers can use the plug-in software to provide new answers to their available security questions.

After users successfully provide their answers and receive confirmation that the new answers are saved to the central store, their old answers are no longer valid.

Users change their answers to their security questions by accessing the Security Questions Registration wizard.

You provide users access to Security Questions Registration wizard as a published application:
  1. Install the Single Sign-on Plug-in on a XenApp server.
  2. Locate the QBAEnroll.exe file on the XenApp sever.
  3. Publish the QBAEnroll.exe file and make it available to users.
  4. Inform users how to access and use the Security Questions Registration wizard.
Note: Users running Single Sign-on Plug-in Version 4.8 can access the Security Question Registration wizard by selecting Tools > Security Questions Registration in the Logon Manager. These users do not require access to the Security Questions Registration wizard as a published application. Users running Single Sign-on Plug-in Version 4.6 Service Pack 1 or earlier cannot access the Security Questions Registration wizard as a published application.