2088135 - Knowledge-Based Authentication - Platform

SAP Knowledge Base Article - Public

2088135 - Knowledge-Based Authentication - Platform

Symptom

Environment

  • BizX Platform

Resolution

Need a more secure way for employees to reset their SuccessFactors password?

  • Introducing Knowledge-Based Authentication (KBA) for passwords, which is official security-speak for presenting challenge questions to employees that they must answer correctly before they can reset their passwords. This method is more secure because vulnerable text passwords are no longer sent through email. Instead, employees are sent a link to a page in SuccessFactors that shows a series of security questions. Employees can only access to the rest of SuccessFactors to reset their passwords if they can answer the questions correctly.
     
     
  • To set up Knowledge-Based Authentication for your company, you can pick security questions from a question library or create your own unique questions. To make this feature a part of your password policy, go to Admin Tools >System Properties > Password Policy Settings, and select the Allow users to reset forgotten passwords by themselves checkbox. Then select one of the Reset passwords using security questions options. Click the Manage security questions link to set up your security questions.

 

  • Reset passwords using security questions accessed through email link

Provide security question and answer combination that help the system verify user identities.
 

  • This option lets users receive an email with a link to reset their password after answering the security questions correctly.
    • If you select this option you are then presented with the "Manage security questions..." link which you must click to open the question wizard to set up security questions.
    • From here you then select the security questions you want to make available to users to reset their password.
    • You can choose from the list or create your own.
    • Set the value for Employee must answer (number of ) security questions before they can reset their password.
       
       
       
  • Reset passwords using security questions accessed through the system
    Provide security question and answer combination that help the system verify user identities.
    This option redirects users to the security question page to reset their password after answering the security questions correctly.
    • If you select this option you are then presented with the "Manage security questions..." link which you must click to open the question wizard to set up security questions.
    • From here you then select the security questions you want to make available to users to reset their password.
    • You can choose from the list or create your own.
    • Set the value for Employee must answer (number of ) security questions before they can reset their password.

             Note: When you use either of these options you can no longer use the other option > Allow users to retrieve password through email as the 3 options are exclusive.
 

Why do I see an error message: Please contact your administrator to reset your password?

  • When using the KBA (Knowledge Based Authentication) related options, the administrator must have completed the KBA related steps described above. You must click on the link of "Manage security questions..." and set up your security questions. Complete the number of minimum questions and enable/disable the questions.
    In addition to this each user needs to first login and provide answers to each required KBA question, and only after this has been completed will they be able to use KBA to reset their password. If this is not completed by both the administrator and each user then there will be no valid KBA questions & answers, which results in the error "Please contact your administrator to reset your password." when a user attempts to retrieve or reset their password.

Keywords

KBA , LOD-SF-PLT , Foundational Capabilities & Tools , Problem

Product

SAP SuccessFactors HCM Core all versions