Security Questions Authentication
Security Questions can be used as a second factor in multi-factor authentication (MFA). Consumers verify their identity by answering security questions configured during registration or login setup.
Flow Diagram:
MFA Security Question feature configuration
- LoginRadius Console configuration for Security Question Authentication is guided in the following document.
- You can configure new security questions by navigating Console→ Security→ Security Questions. Also, you can modify/update previously added questions and set a failure attempt limit.
API implementation
To implement MFA using security questions, combine frontend and backend API calls as per your application’s flow.
Note: If an API call requires an API Secret, it should be called from the back end. Otherwise, the API call can also be used on the front end.
- First Factor Authentication
- Prompt for Security Question Verification
- Optional MFA Setup
- Setup for First-Time Users
- Resetting Security Questions
Set up the initial login using one of the following MFA-enabled APIs:
- MFA Email Login API: To have a Standard Login flow requiring email and password.
- MFA UserName Login API: Use UserName and Password instead of Email and Password.
- MFA Phone Login: If your API has been configured for Phone-based Authentication, use this API to authenticate the user via phone.
After successful authentication, the response includes details for MFA, including Security Question status and available questions:
json
{
"SecondFactorAuthentication": {
"SecondFactorAuthenticationToken": "b1fbbba5-2a5e-41a2-96da-c216df36e6f4",
"ExpireIn": "2021-04-06T08:36:53.3005592Z",
"QRCode": "http://chart.googleapis.com/chart?cht=qr&chs=150x150&chl=otpauth%3A%2F%2Ftotp%2Fanil1%40mail7.io%3Fsecret%3DHBRWENLDHEZGIMBYHFTDINJSMVRDANDBHE4WINJTMYZTCYZSGFRA%26issuer%3Ddev-aniltest",
"ManualEntryCode": "HBRWENLDHEZGIMBYHFTDINJSMVRDANDBHE4WINJTMYZTCYZSGFRA",
"IsGoogleAuthenticatorVerified": false,
"IsEmailOtpAuthenticatorVerified": false,
"IsOTPAuthenticatorVerified": false,
"OTPPhoneNo": null,
"OTPStatus": null,
"Email": [
"x**z@e****le.c*m"
],
"EmailOTPStatus": {
"Email": "x**z@e****e.c*m"
},
"IsSecurityQuestionAuthenticatorVerified": false,
"SecurityQuestions": [
{
"QuestionId": "<QuestionId>",
"Question": "<Question>"
}
]
},
"Profile": null,
"access_token": "00000000-0000-0000-0000-000000000000",
"expires_in": "0001-01-01T00:00:00"
}
- Use this when
IsSecurityQuestionAuthenticatorVerifiedisfalse: Verify MFA Security Question by MFA Token API - Inputs:
MFA Token,Question ID,Answer,API Key
- Set up security questions post-login (optional MFA): Verify MFA Security Question By Access Token API
- Inputs:
Access Token,New Question ID,Answer,ReplaceSecurityQuestionAnswer (true/false)
- If a user has never set up security questions: Update MFA security question by MFA Token API.
- Inputs:
MFA Token,Question ID,Answer,API Key
Provide reset functionality for security question settings:
- DELETE Reset MFA Security Question Authenticator Settings API Inputs:
Access Token,API Key - DELETE Reset MFA Security Question Authenticator Settings by UID API (Server-side)
Inputs:UID,API Key,API Secret