How to mandate users to set up security questions