If you setup the option "Minimum Answers to Verify", the user can't use the forgotten password if no question is configured. In order to prevent this bad situation, OpenAM should force the user to complete the security questions earlier.
This could be done after the authentication, by forcing the user to complete the security questions before having the SSO token.
You should be able to implement a custom authentication module that verifies the security questions configured:
- if the security questions are configured => module succeed
- if the minimum of security questions is not configured => print a view to setup the questions.