Hi, I’m working on a project to migrate users from ForgeRock 6.5 to ForgeRock Identity Cloud. As part of the migration we will remove some old security questions.
In 6.5 it appears security questions and responses are stored as clear text against the user data, in FIDC the security question id and the encrypted response is stored.
- How does FIDC handle security question verification when the security questions/ids no longer match what is configured in FIDC?
- How can FIDC be configured to still handle old security questions but not make them available to new users?
Unfortunately, a question is referenced by its ID - the actual question text is not stored in the user profile. Therefore, I would say that using an unknown ID will not help: the question text will be unknown, and therefore, can not be displayed to the user - so how this behaves in this case does not matter - question can’t be found anyway.
So you would migrate the questions making sure that the ids correspond (or perhaps translate the id from 6.5 to FIDC); you can also control the question ID by exporting the KBA configuration, edit, and import via REST, or using a tool like
As for allowing old questions for some users while disabling for new users, I do not see how this can be done OOTB. You’ll have to provide your own customisations - in IDM (custom attribute) and in the Reset password journey (scripted decision node), unfortunately.