Jack,
DotNetNuke's User Profile includes a Security Question and Answer.
Enabling that feature requires that you make a simple change to web.config. You can do this from Host, Configuration Manager (though you should ALWAYS make a backup of web.config before you edit it ... just in case!). Look for this code block:
<membership>
<providers>
<clear />
<add connectionStringName="SiteSqlServer" enablePasswordRetrieval="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="0"
requiresUniqueEmail="true"
passwordFormat="Encrypted"
applicationName="DotNetNuke"
description="Stores and retrieves membership data from the local Microsoft SQL Server database"
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider" />
</providers>
</membership>
Besides "requiresQuestionAndAnswer" there are several other items that you may wish to consider changing.
By the way, there is a rather voluminous Administrator's manual that can be downloaded from DotNetNuke.com.