Product Documentation

Managing Your Questions

Mar 25, 2011
The Question-Based Authentication node in the Single Sign-on component of the Citrix AppCenter provides you with a central location for managing all security questions associated with identity verification, self-service password reset, and account unlock. You can add your own security questions to the list of default questions and create question groups and target them to specific users.
  • If you edit the existing default questions after users register their answers, consider the meaning of the edited questions. Editing a question does not force a user reenrollment; but if you change the meaning of a question, users who answered that question originally might not be able to provide the correct answer.
  • Adding, deleting, and replacing security questions after users are enrolled means that all users who were previously enrolled using an older set of questions cannot authenticate and reset their password until they reenroll. Users must answer the new set of questions when they open the plug-in software.
  • Individual security questions can belong to multiple security question groups. When you create your security question groups, all questions you create are available for use with any security question group.

Use these steps to access the settings referenced in the following procedures:

  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-on node, expand Identity Verification, and select the Question-Based Authentication node.
  3. From the Action menu, click Manage Questions.

To create new security questions

You can create many different questions and designate a language for each question. You can also provide multiple translations of a single question. The plug-in software presents the user with the questionnaire in the language that corresponds to the language settings of the user's profile. If the language is not available, Single Sign-on displays the questions in the default language.

Note: When you specify a language for a security question, the question appears to users whose operating system settings are configured for that designated language. If the selected operating system settings do not match any of the questions available, users are shown your selected default language.
  1. Select Security Questions.
  2. From the Language drop-down list, select a language and click Add Question. The Security Question dialog box appears.
  3. Create the new question In the Security Question dialog box.
Important: You must use the Edit command to include the translated text of existing questions. If you select Add Question, you are creating a new question that is not associated with the original.

To set a default language

In most instances, users see security questions displayed in the language associated with their current user profile. If the language is not available, Single Sign-on displays the questions in the default language that you specify.

  1. Select Question-Based Authentication.
  2. From the Default Language drop-down list, select the default language.
Note: The Perform backward compatibility option in this dialog box ensures that Password Manager 4.0 and Password Manager 4.1 plug-in software can continue to display identity verification questions.

To add or edit text for existing questions

Adding, deleting, and replacing security questions after users are enrolled means that all users who were previously enrolled using an older set of questions cannot authenticate and reset their password until they reenroll. Users must answer the new set of questions when they open the plug-in software. Editing a question does not force a user reenrollment; but if you change the meaning of a question, users who answered that question originally may not be able to provide the correct answer.
Important: If you are editing an existing question, be careful not to change the meaning of a question. This might cause a mismatch in user answers during reauthentication. That is, a user might provide a different answer that might not match the stored answer.
  1. Select Security Questions.
  2. Select a language from the Language drop-down box.
  3. Select the question and click Edit. The Security Question dialog box appears.
  4. Edit the question in the Security Question dialog box.

To create a security question group

You can create a number of security questions that your users answer to confirm their identities. Each question you add to the questionnaire must be answered by your users. However, you can also group these questions together in a security question group.

For example, putting your questions in a group enables you to add a group of six questions to your questionnaire, and allows your users to choose from that group of questions, answering, for example, three of the six. This gives your users flexibility in selecting questions and providing answers to be used for identity verification.

  1. Select Security Questions.
  2. Click Add Group.
  3. In the Security Question Group dialog box, name the group, select the questions, and set the number of questions the user must answer.

To edit a security question group

  1. Select Security Questions.
  2. Select the security group you want to edit and click Edit. The Security Question Group dialog box appears, with a list of security questions available to be part of the group. The questions currently in the group are indicated by a check mark. Here you can edit the name of the group, add questions to the group, and select the number of questions from this group a user must answer.

To select one or more questions for key recovery

You must select one or two of the questions your users answer to encrypt the data for key recovery. Your users need to provide answers for all of the questions they originally answered when enrolling, but the questions you select are used to provide data to include as part of the encryption and key recovery process.

  1. Select Key Recovery.
  2. Select the check box next to each question or question groups to use for key recovery during identity verification.
  3. Click OK to save your question and settings. A message might appear asking if you want to force users to reenroll answers. Click Yes to force reenrollment.

To enable security answer masking

Security answer masking is available with Password Manager Versions 4.6 and 4.6 with Service Pack 1 and Single Sign-on 4.8 and 5.0.

Security answer masking provides an added level of security for your users when they register their security question answers or provide their answers during identity verification. When this feature is enabled, the answers of users running Password Manager 4.6, Password Manager 4.6 with Service Pack 1, Single Sign-on 4.8 or Single Sign-on 5.0 are hidden. During the answer registration process, these users will be asked to type their answers twice to avoid typing and spelling errors. Users will need to type their answers only once during identity validation because they are prompted to retry if there is an error.

Note: Security question answers registered with Password Manager 4.5 agent software can be masked when your software is upgraded to Single Sign-on Version 5.0. Security question answers for users with agent software for Password Manager 4.5, 4.1, or 4.0 remain visible regardless of the console setting.

  1. Select Security Answer Masking.
  2. Select Mask answers for security questions.

To make your questionnaire backward compatible

Backward compatibility mode enables the plug-in software to continue prompting users with identity verification questions you used for Password Manager Versions 4.0 and 4.1. Backward compatibility mode also allows you to continue using the default question, "What is your identity verification phrase?" If you are upgrading from Version 4.1, the identity verification questions and the questions you used for self-service password reset appear as a questionnaire in the Manage Questions dialog box.

Important: When creating and editing user configurations, do not enable backward compatibility if you have a new installation of Single Sign-on because that limits plug-in software functionality to Versions 4.0 and 4.1 of the product. Conversely, do not disable backward compatibility mode if agent software from Version 4.0 or 4.1 is running because that prevents users from performing key recovery and self-service password reset registrations.

If you are using automatic key management, do not enable backward compatibility. Automatic key recovery does not require users to answer identity verification questions.

For Versions 4.0 and 4.1 backward compatibility, the questionnaire must include at least one security question associated with the Account Self-Service password reset feature.

Each security question must include the following settings:
  • Case sensitivity disabled.
  • Minimum answer length set to one.
  • Questions cannot be enabled for key recovery.

To check for backward compatibility

You can check for backward compatibility if you are upgrading from a previous version of Single Sign-on/Password Manager:
  1. Select Question-Based Authentication.
  2. Select Perform backwards compatibility check and click OK.
Single Sign-on performs the backward compatibility check and displays any errors in a dialog box.