Usage of the IdmSecurityQuestionVerifyState

This plug-in uses security questions to verify a user's identity.

It can be used as an additional security mechanism for users with a security question credential. The IdmSecurityQuestionVerifyState checks whether the user knows the answers to his security questions (defined previously, see chapter 8.29 "IdmSecurityQuestionManagementState"). The questions are randomly selected and presented one by one. If the user does not answer them correctly, the credential may get locked.

For example, the user has defined five security questions and the IdmSecurityQuestionVerifyState requires him to answer two of them correctly. The AuthState will randomly show the user a question for which the user can provide an answer. As soon as the user submits the answer, it gets verified and the counter will be adjusted. The transition "prospect" will also be set since the user still has the opportunity to answer enough questions correctly in fail cases. The user then gets a new question. If he answered both questions correctly, the next transition will be "ok"; if not, he has three more chances to answer two of the questions correctly. If he does not manage to do so, the transition "failed" will be set.