Cyber crimes are on the rise, and with that comes a need for stronger account security!
To help protect our customers and their members, SilkStart has implemented a knowledge-based-authentication step to signing in.
What is Knowledge Based Authentication
Knowledge-based-authentication ('KBA') is a simple process that works to verify a user's identity by asking them to answer secret questions prior to accessing secure sections of your website. The secret questions provide a second layer of security for users by asking for information that the user has unique knowledge of in addition to their username and password.
With SilkStart, users will select four questions they want to provide answers to. These answers will be saved to their profile and encrypted for maximum security. During sign-in, one of the four questions will be randomly presented to the user which they must then provide the correct answer to. Failure to provide the right answer will prevent the user from logging in.
How do new members setup their secret questions?
1. When users are signing up for a new membership plan they will be asked to fill out their secret questions as a part of the sign-up page in the enrollment flow, just below the fields used to enter a password. The secret questions will be marked as required and will need to be filled in for the user to proceed:
How do existing members setup their secret questions?
1. For members that existed prior to the release of KBA, once they sign-in after the feature release they will be automatically redirected to a page asking them to set their secret questions. This will also apply to administrators.
2. Once redirected to the secret questions page, they will be presented with a list of 4 question fields, and 4 answer fields. The question fields will allow the user to select from a drop down list to choose which questions they want to provide answers for. The answer field will be free-text and will all the user to input any answer they choose.
3. After they've selected their questions and entered their answers, they hit save changes. Once the answers have been entered, they will no longer be accessible to either the member or to administrators. If a member wants to edit their secret questions they will either require an administrator to reset their secret questions from the admin panel, or they will click on the Forgot your secret questions? hyperlink on the log in page.
- See the How do users reset their answers if they cannot remember their answers? section for details on how to reset members secret questions.
4. Once the above steps have been completed, members will then be prompted with a random security question every time they attempt to log in:
What happens if a secret question is answered incorrectly?
The user answering will have 4 attempts to enter their password/answer correctly, after the fourth failed attempt they will be locked out of the system for 30 minutes in association to the email being used to log in.
When the 30 minutes have passed, they can try again but the question will rotate at random.
How does a user reset their answers if they cannot remember their answers?
If the user cannot remember the answer to their secret question, they have two options:
1. Click on the Forgot your secret questions? hyperlink on the question screen:
This will then ask them two additional random secret questions and if answered correctly, will allow the user to log in, and redirect them to reset the answer to their secret questions. When this path is taken, all answers to all questions will need to be reset as per the steps outlined above.
2. Have an administrator reset the secret questions. Logged in administrators can navigate to the Admin panel < Manage < People < and then search for the user. Once the user has been found, click on the checkbox next to their name.
Once this is done, at the top of the page there will be a Reset Secret Questions button:
The administrator will be presented with a pop up screen:
By clicking on the 'Reset' button, the user's secret questions will be removed, and they will be able to login and then re-enter new secret questions and answers the same way outlined above.
If you have any other questions that were left answered about KBA in this FAQ, please contact us at firstname.lastname@example.org