KBA Decision node

The KBA Decision node checks whether the user account has the required minimum number of knowledge-based authentication (KBA) security questions.

Use this node as part of a progressive profile journey to ensure an end user has defined answers to the minimum number of questions required by the system.

Example

In this simple login journey, the end user must answer a set number of security questions before they can authenticate.

The Page node containing the Platform Username node and Platform Password node prompts for credentials.
The Data Store Decision node validates the username-password credentials.
The KBA Decision node verifies that the user profile includes enough security questions.
- If the profile includes sufficient questions, the KBA Verification node prompts the user for answers to those questions, and authenticates them if they answer correctly.
- If the profile doesn’t include sufficient questions, the KBA Definition node prompts the user for additional questions and answers.
- The Patch Object node updates the user profile with the additional questions. The KBA Verification node prompts the user for answers to the questions, and authenticates them if they answer correctly.

Availability

Product	Available?
PingOne Advanced Identity Cloud	Yes
PingAM (self-managed)	Yes ¹
Ping Identity Platform (self-managed)	Yes

Product

Available?

PingOne Advanced Identity Cloud

Yes

PingAM (self-managed)

Yes ¹

Ping Identity Platform (self-managed)

Yes

¹ This functionality requires that you configure AM as part of a Ping Identity Platform deployment.

Inputs

This node reads the userName from the shared state, if available. The value is used as the identity attribute to locate the user in the identity store. The key name is configurable via the Identity Attribute configuration property.

Dependencies

This node assumes you have configured a required minimum number of security questions.

To set the number of security questions, go to Security > Security Questions > Settings in the Advanced Identity Cloud admin UI.

Configuration

Property	Usage
Identity Attribute	The property used to locate the identity.

Property

Usage

Identity Attribute

The property used to locate the identity.

Outputs

This node doesn’t change the shared state.

Callbacks

This node doesn’t send any callbacks.

Outcomes

True: The user profile has at least the minimum number of KBA questions.
False: The user profile doesn’t have the minimum number of KBA questions.

Errors

The node can log the following errors:

Failed to retrieve configuration values — thrown when the KBA configuration is unavailable or invalid (minimum answers to define is negative, or KBA property name is null).
Unable to read object — thrown when the identity store returns no object for the provided user identity.

Authentication nodes