diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/AuthenticationEvaluatorImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/AuthenticationEvaluatorImpl.java
index 1f0525de8de..f57b1f0dc5b 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/AuthenticationEvaluatorImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/AuthenticationEvaluatorImpl.java
@@ -94,7 +94,7 @@ public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment co
 		
 		UserType userType = principal.getUser();
 		CredentialsType credentials = userType.getCredentials();
-		if (credentials == null) {
+		if (credentials == null || getCredential(credentials) == null) {
 			recordAuthenticationFailure(principal, connEnv, "no credentials in user");
 			throw new AuthenticationCredentialsNotFoundException("web.security.provider.invalid");
 		}
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityQuestionAuthneticationEvaluatorImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityQuestionAuthneticationEvaluatorImpl.java
index 757e29309c7..1f59bf2042d 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityQuestionAuthneticationEvaluatorImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityQuestionAuthneticationEvaluatorImpl.java
@@ -2,6 +2,7 @@
 
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang.StringUtils;
@@ -31,6 +32,19 @@ protected void checkEnteredCredentials(ConnectionEnvironment connEnv,
 			recordAuthenticationFailure(authCtx.getUsername(), connEnv, "empty password provided");
 			throw new BadCredentialsException("web.security.provider.password.encoding");
 		}
+		
+		Map<String, String> enteredQuestionAnswer = authCtx.getQuestionAnswerMap();
+		boolean allBlank = false;
+		for (String enteredAnswers : enteredQuestionAnswer.values()) {
+			if (StringUtils.isBlank(enteredAnswers)){
+				allBlank = true;
+			}
+		}
+		
+		if (allBlank) {
+			recordAuthenticationFailure(authCtx.getUsername(), connEnv, "empty password provided");
+			throw new BadCredentialsException("web.security.provider.password.encoding");
+		}
 	}
 
 	@Override
diff --git a/model/model-impl/src/test/resources/common/security-policy.xml b/model/model-impl/src/test/resources/common/security-policy.xml
index 6a2b4a0fff2..62c2f07bf8d 100644
--- a/model/model-impl/src/test/resources/common/security-policy.xml
+++ b/model/model-impl/src/test/resources/common/security-policy.xml
@@ -36,6 +36,7 @@
 			<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
 			<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
 			<lockoutDuration>PT15M</lockoutDuration>
+			<questionNumber>1</questionNumber>
 			<question>
 				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</identifier>
 				<enabled>true</enabled>
diff --git a/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
index 97f55ff4cc9..8de2bd0487c 100644
--- a/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
+++ b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
@@ -151,6 +151,7 @@ public abstract class TestAbstractRestService {
 
 	public static final File VALUE_POLICY_GENERAL = new File(BASE_REPO_DIR, "value-policy-general.xml");
 	public static final File VALUE_POLICY_NUMERIC = new File(BASE_REPO_DIR, "value-policy-numeric.xml");
+	public static final File SECURITY_POLICY = new File(BASE_REPO_DIR, "security-policy.xml");
 	
 	private static final Trace LOGGER = TraceManager.getTrace(TestAbstractRestService.class);
 
@@ -181,6 +182,8 @@ public abstract class TestAbstractRestService {
 	protected abstract File getRepoFile(String fileBaseName);
 	protected abstract File getRequestFile(String fileBaseName);
 
+	public static final String QUESTION_ID = "http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001";
+	
 	ApplicationContext applicationContext = null;
 	
 	@BeforeClass
@@ -227,6 +230,7 @@ private void startServer() throws Exception {
 		addObject(USER_SOMEBODY_FILE, result);
 		addObject(VALUE_POLICY_GENERAL, result);
 		addObject(VALUE_POLICY_NUMERIC, result);
+		addObject(SECURITY_POLICY, result);
 		addObject(SYSTEM_CONFIGURATION_FILE, result);
 
 		dummyAuditService = DummyAuditService.getInstance();
@@ -1159,13 +1163,17 @@ private WebClient prepareClient(String username, String password) {
 		client.accept(getAcceptHeader());
 		client.type(getContentType());
 
+		createAuthorizationHeader(client, username, password);
+		return client;
+
+	}
+	
+	protected void createAuthorizationHeader(WebClient client, String username, String password){
 		if (username != null) {
 			String authorizationHeader = "Basic "
 					+ org.apache.cxf.common.util.Base64Utility.encode((username+":"+(password==null?"":password)).getBytes());
 			client.header("Authorization", authorizationHeader);
 		}
-		return client;
-
 	}
 	
 	private void assertStatus(Response response, int expStatus) {
diff --git a/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestRestServiceJson.java b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestRestServiceJson.java
index 133af4b187a..19ad19bebf8 100644
--- a/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestRestServiceJson.java
+++ b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestRestServiceJson.java
@@ -20,6 +20,8 @@
 
 import javax.ws.rs.core.MediaType;
 
+import org.apache.cxf.jaxrs.client.WebClient;
+
 import com.evolveum.midpoint.model.impl.rest.MidpointAbstractProvider;
 
 //@ContextConfiguration(locations = { "classpath:ctx-rest-test.xml" })
@@ -52,5 +54,4 @@ protected MidpointAbstractProvider getProvider() {
 		return jsonProvider;
 	}
 	
-
 }
diff --git a/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestRestServiceJsonSecQ.java b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestRestServiceJsonSecQ.java
new file mode 100644
index 00000000000..58f00e35b5c
--- /dev/null
+++ b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestRestServiceJsonSecQ.java
@@ -0,0 +1,30 @@
+package com.evolveum.midpoint.testing.rest;
+
+import org.apache.cxf.jaxrs.client.WebClient;
+
+public class TestRestServiceJsonSecQ extends TestRestServiceJson{
+
+	
+	@Override
+	protected void createAuthorizationHeader(WebClient client, String username, String password) {
+		
+		if (username == null) {
+			return;
+		}
+		
+		String authzHeader = "{"
+				+ "\"user\" : \""+ username +"\","
+				+ "\"answer\" : ["
+					+ "{ "
+						+ "\"qid\" : \"http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001\"," 
+						+ "\"qans\" : \"" + (password == null ? "" : password) + "\""
+					+ "}"
+				+ "]"
+				+ "}";
+		
+			String authorizationHeader = "SecQ "
+					+ org.apache.cxf.common.util.Base64Utility.encode((authzHeader).getBytes());
+			client.header("Authorization", authorizationHeader);
+		
+	}
+}
diff --git a/testing/rest/src/test/resources/repo/json/user-darthadder.json b/testing/rest/src/test/resources/repo/json/user-darthadder.json
index f0aa30de9ec..3571b5e74c2 100644
--- a/testing/rest/src/test/resources/repo/json/user-darthadder.json
+++ b/testing/rest/src/test/resources/repo/json/user-darthadder.json
@@ -35,6 +35,15 @@
           "@ns" : "http://prism.evolveum.com/xml/ns/public/types-3",
           "clearValue" : "iamyouruncle"
         }
+      },
+      "securityQuestions" : {
+        "questionAnswer" : [{
+          "questionIdentifier" : "http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001",
+          "questionAnswer" : {
+          	"@ns" : "http://prism.evolveum.com/xml/ns/public/types-3",
+          	"clearValue": "iamyouruncle"
+          }
+        }]
       }
     }
   }
diff --git a/testing/rest/src/test/resources/repo/security-policy.xml b/testing/rest/src/test/resources/repo/security-policy.xml
new file mode 100644
index 00000000000..116a6cd7332
--- /dev/null
+++ b/testing/rest/src/test/resources/repo/security-policy.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2014-2016 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<securityPolicy oid="28bf845a-b107-11e3-85bc-001e8c717e5b" 
+	xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
+	<name>Security Policy</name>
+	<credentials>
+		<password>
+			<maxAge>P30D</maxAge>
+			<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
+			<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
+			<lockoutDuration>PT15M</lockoutDuration>
+		</password>
+		<nonce>
+			<maxAge>P30D</maxAge>
+			<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
+			<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
+			<lockoutDuration>PT15M</lockoutDuration>
+		</nonce>
+		<securityQuestions>
+			<maxAge>P30D</maxAge>
+			<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
+			<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
+			<lockoutDuration>PT15M</lockoutDuration>
+			<questionNumber>1</questionNumber>
+			<question>
+				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</identifier>
+				<enabled>true</enabled>
+				<questionText>How much wood would a woodchuck chuck if woodchuck could chuck wood?</questionText>
+			</question>
+			<question>
+				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q002</identifier>
+				<questionText>What is your mother's best friend's uncle's grandaughter's dog's mother maiden name?</questionText>
+			</question>
+			<question>
+				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q003</identifier>
+				<enabled>true</enabled>
+				<questionText>What's your favorite color?</questionText>
+			</question>
+			<question>
+				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q004</identifier>
+				<enabled>false</enabled>
+				<questionText>What's your favorite film?</questionText>
+			</question>
+		</securityQuestions>
+	</credentials>
+</securityPolicy>
diff --git a/testing/rest/src/test/resources/repo/system-configuration.xml b/testing/rest/src/test/resources/repo/system-configuration.xml
index 4b618321f9a..23c83dcff97 100644
--- a/testing/rest/src/test/resources/repo/system-configuration.xml
+++ b/testing/rest/src/test/resources/repo/system-configuration.xml
@@ -53,4 +53,5 @@
 		<rootLoggerLevel>INFO</rootLoggerLevel>
 	</logging>
 	<globalPasswordPolicyRef oid="81818181-76e0-59e2-8888-3d4f02d3fffb" type="ValuePolicyType"/>
+	<globalSecurityPolicyRef oid="28bf845a-b107-11e3-85bc-001e8c717e5b" type="SecurityPolicyType"/>
 </systemConfiguration>
diff --git a/testing/rest/src/test/resources/repo/user-administrator.xml b/testing/rest/src/test/resources/repo/user-administrator.xml
index 603ec000f1c..02f71571ce9 100644
--- a/testing/rest/src/test/resources/repo/user-administrator.xml
+++ b/testing/rest/src/test/resources/repo/user-administrator.xml
@@ -15,6 +15,7 @@
   ~ limitations under the License.
   -->
 <c:user oid="00000000-0000-0000-0000-000000000002" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
 	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
 	<c:name>administrator</c:name>
 	<c:assignment>
@@ -33,5 +34,19 @@
 				<clearValue>5ecr3t</clearValue>
 			</c:value>
 		</c:password>
+		<securityQuestions>
+			<questionAnswer>
+				<questionIdentifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</questionIdentifier>
+				<questionAnswer>
+					<t:clearValue>5ecr3t</t:clearValue>
+				</questionAnswer>
+			</questionAnswer>
+			<questionAnswer>
+				<questionIdentifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q003</questionIdentifier>
+				<questionAnswer>
+					<t:clearValue>black</t:clearValue>
+				</questionAnswer>
+			</questionAnswer>
+		</securityQuestions>
 	</c:credentials>
 </c:user>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/user-cyclops.xml b/testing/rest/src/test/resources/repo/user-cyclops.xml
index 3d42c688363..d18ceaa1eb9 100644
--- a/testing/rest/src/test/resources/repo/user-cyclops.xml
+++ b/testing/rest/src/test/resources/repo/user-cyclops.xml
@@ -15,6 +15,7 @@
   ~ limitations under the License.
   -->
 <c:user oid="6020bb52-d48e-11e4-9eaf-001e8c717e5b" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
 	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
 	<c:name>cyclops</c:name>
 	<c:assignment>
@@ -32,5 +33,13 @@
 				<clearValue>cyclopassword</clearValue>
 			</c:value>
 		</c:password>
+		<securityQuestions>
+			<questionAnswer>
+				<questionIdentifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</questionIdentifier>
+				<questionAnswer>
+					<t:clearValue>cyclopassword</t:clearValue>
+				</questionAnswer>
+			</questionAnswer>
+		</securityQuestions>
 	</c:credentials>
 </c:user>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/user-nobody.xml b/testing/rest/src/test/resources/repo/user-nobody.xml
index 2417609ceba..c4f11f0bbf0 100644
--- a/testing/rest/src/test/resources/repo/user-nobody.xml
+++ b/testing/rest/src/test/resources/repo/user-nobody.xml
@@ -15,6 +15,7 @@
   ~ limitations under the License.
   -->
 <c:user oid="ffb9729c-d48b-11e4-9720-001e8c717e5b" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
 	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
 	<c:name>nobody</c:name>
 	<c:activation>
@@ -29,5 +30,13 @@
 				<clearValue>nopassword</clearValue>
 			</c:value>
 		</c:password>
+		<securityQuestions>
+			<questionAnswer>
+				<questionIdentifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</questionIdentifier>
+				<questionAnswer>
+					<t:clearValue>nopassword</t:clearValue>
+				</questionAnswer>
+			</questionAnswer>
+		</securityQuestions>
 	</c:credentials>
 </c:user>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/user-somebody.xml b/testing/rest/src/test/resources/repo/user-somebody.xml
index 373b5e2c1b6..e72424639f3 100644
--- a/testing/rest/src/test/resources/repo/user-somebody.xml
+++ b/testing/rest/src/test/resources/repo/user-somebody.xml
@@ -15,6 +15,7 @@
   ~ limitations under the License.
   -->
 <c:user oid="a5f3e3c8-d48b-11e4-8d88-001e8c717e5b" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
 	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
 	<c:name>somebody</c:name>
 	<c:assignment>
@@ -35,5 +36,13 @@
 				<clearValue>somepassword</clearValue>
 			</c:value>
 		</c:password>
+		<securityQuestions>
+			<questionAnswer>
+				<questionIdentifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</questionIdentifier>
+				<questionAnswer>
+					<t:clearValue>somepassword</t:clearValue>
+				</questionAnswer>
+			</questionAnswer>
+		</securityQuestions>
 	</c:credentials>
 </c:user>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/xml/user-darthadder.xml b/testing/rest/src/test/resources/repo/xml/user-darthadder.xml
index f507d800c06..faa4eb67a57 100644
--- a/testing/rest/src/test/resources/repo/xml/user-darthadder.xml
+++ b/testing/rest/src/test/resources/repo/xml/user-darthadder.xml
@@ -15,6 +15,7 @@
   ~ limitations under the License.
   -->
 <c:user oid="1696229e-d90a-11e4-9ce6-001e8c717e5b" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
 	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
 	<c:name>darthadder</c:name>
 	<c:assignment>
@@ -48,5 +49,13 @@
 				<clearValue>iamyouruncle</clearValue>
 			</c:value>
 		</c:password>
+		<securityQuestions>
+			<questionAnswer>
+				<questionIdentifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</questionIdentifier>
+				<questionAnswer>
+					<t:clearValue>iamyouruncle</t:clearValue>
+				</questionAnswer>
+			</questionAnswer>
+		</securityQuestions>
 	</c:credentials>
 </c:user>
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/repo/yaml/user-darthadder.yml b/testing/rest/src/test/resources/repo/yaml/user-darthadder.yml
index f9f7ef8596d..fb7d7f97f55 100644
--- a/testing/rest/src/test/resources/repo/yaml/user-darthadder.yml
+++ b/testing/rest/src/test/resources/repo/yaml/user-darthadder.yml
@@ -53,4 +53,10 @@ user:
     password:
       value:
         '@ns': "http://prism.evolveum.com/xml/ns/public/types-3"
-        clearValue: "iamyouruncle"
\ No newline at end of file
+        clearValue: "iamyouruncle"
+    securityQuestions:
+    - questionAnswer:
+        questionIdentifier: "http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001"
+        questionAnswer:
+          '@ns': "http://prism.evolveum.com/xml/ns/public/types-3"
+          clearValue: "iamyouruncle"
\ No newline at end of file
diff --git a/testing/rest/testng-integration.xml b/testing/rest/testng-integration.xml
index 91e48b15302..d8001077572 100644
--- a/testing/rest/testng-integration.xml
+++ b/testing/rest/testng-integration.xml
@@ -22,6 +22,7 @@
 			<class name="com.evolveum.midpoint.testing.rest.TestRestServiceXml"/>
 			<class name="com.evolveum.midpoint.testing.rest.TestRestServiceJson"/>
 			<class name="com.evolveum.midpoint.testing.rest.TestRestServiceYaml"/>
+			<class name="com.evolveum.midpoint.testing.rest.TestRestServiceJsonSecQ"/>
 		</classes>
 	</test>
 </suite>