Security Questions Authentication
Security Questions can be used as a second factor in multi-factor authentication (MFA). Consumers verify their identity by answering security questions configured during registration or login setup.
Flow Diagram:
MFA Security Question feature configuration
- LoginRadius Console configuration for Security Question Authentication is guided in the following document.
- You can configure new security questions by navigating Console→ Security→ Security Questions. Also, you can modify/update previously added questions and set a failure attempt limit.
API implementation
To implement MFA using security questions, combine frontend and backend API calls as per your application’s flow.
Note: If an API call requires an API Secret, it should be called from the back end. Otherwise, the API call can also be used on the front end.
First Factor Authentication
Prompt for Security Question Verification
Optional MFA Setup
Setup for First-Time Users
Resetting Security Questions
Set up the initial login using one of the following MFA-enabled APIs:
- MFA Email Login API: To have a Standard Login flow requiring email and password.
- MFA UserName Login API: Use UserName and Password instead of Email and Password.
- MFA Phone Login: If your API has been configured for Phone-based Authentication, use this API to authenticate the user via phone.
After successful authentication, the response includes details for MFA, including Security Question status and available questions:
json
{
"SecondFactorAuthentication": {
"SecondFactorAuthenticationToken": "b1fbbba5-2a5e-41a2-96da-c216df36e6f4",
"ExpireIn": "2021-04-06T08:36:53.3005592Z",
"QRCode": "http://chart.googleapis.com/chart?cht=qr&chs=150x150&chl=otpauth%3A%2F%2Ftotp%2Fanil1%40mail7.io%3Fsecret%3DHBRWENLDHEZGIMBYHFTDINJSMVRDANDBHE4WINJTMYZTCYZSGFRA%26issuer%3Ddev-aniltest",
"ManualEntryCode": "HBRWENLDHEZGIMBYHFTDINJSMVRDANDBHE4WINJTMYZTCYZSGFRA",
"IsGoogleAuthenticatorVerified": false,
"IsEmailOtpAuthenticatorVerified": false,
"IsOTPAuthenticatorVerified": false,
"OTPPhoneNo": null,
"OTPStatus": null,
"Email": [
"x**z@e****le.c*m"
],
"EmailOTPStatus": {
"Email": "x**z@e****e.c*m"
},
"IsSecurityQuestionAuthenticatorVerified": false,
"SecurityQuestions": [
{
"QuestionId": "<QuestionId>",
"Question": "<Question>"
}
]
},
"Profile": null,
"access_token": "00000000-0000-0000-0000-000000000000",
"expires_in": "0001-01-01T00:00:00"
}
- Use this when
IsSecurityQuestionAuthenticatorVerifiedisfalse: Verify MFA Security Question by MFA Token API - Inputs:
MFA Token,Question ID,Answer,API Key
- Set up security questions post-login (optional MFA): Verify MFA Security Question By Access Token API
- Inputs:
Access Token,New Question ID,Answer,ReplaceSecurityQuestionAnswer (true/false)
- If a user has never set up security questions: Update MFA security question by MFA Token API.
- Inputs:
MFA Token,Question ID,Answer,API Key
Provide reset functionality for security question settings:
- DELETE Reset MFA Security Question Authenticator Settings API Inputs:
Access Token,API Key - DELETE Reset MFA Security Question Authenticator Settings by UID API (Server-side)
Inputs:UID,API Key,API Secret