1. Yes AFAIK
2. They can not - it's a once only thing. The challenge questions are meant to be static.
Thnaks for clarifying.
Can you explain me what is the use of the below option is ePO ?
"Allow users to re-enroll self recovery'
This option in the EE PC Policy will allow users to change answers to self-recovery questions once they authentication in PBA.
It's kind of tricky though if you don't ask for username but just for the password.
Once you set this option in ePO and distribute the policy, reboot one of your systems to PBA.
In PBA, when prompted for a user name there should be checkbox "Re-Enroll Self Recovery". If you are not prompted for the user but only for the password, click on "Change User" to get the username prompt.
Once you check this checkbox and complete the authentication process (provide username and password) you will be prompted to modify the self-recovery data.