I have a current project that requires that when a user goes to retrieve a password through the "Forgot Password" feature they must be challenged with a Question and an Answer they supply.

In theory DNN supports this sort of setup which you enable via the Web.config key that looks like this "requiresQuestionAndAnswer".

Letl me outline why you shouln't use this feature right now.

1. If you are an admin you cannot create a new user because the Admin user creation process throws an error regarding the lacking of a passwordQuestion.

2. If you are an admin you cannot change a users password because the lack of a passwordQuestion.

3. I can't quite remember, but I think that you cannot register a user through the registration process because of the Question and Answer feature.   I know I am using the DataSpring User registration module for some reason, but it has been a while and I don't have my notes in front of me.

The good news is that DNN reports that the Question/Answer password challenge feature WILL work in DNN 5.0.  Let's hope so beause right now it is really broken.