To prompt the user with an additional security question, you could use the following example, which I have shared via ModelShare. This microflow presents users with terms & conditions for the app it is used in and maintains a record of their consent to the terms & conditions. With it, we can add new Terms & Conditions as necessary, and then the next time a user logs in, they will be prompted for consent to the updated T & C. While this example uses a persistent entity to record the users consent, you could replace that with a non-persistent entity to record their success in answering the challenge question. Then when they logout, the object in that entity would be cleaned up and they would be challenged again the next time they login. This microflow is the default home page for users, so they can't navigate elsewhere until they consent to any new Terms & Conditions. Hope this helps.
If your project security is set to Production or Proto-type/demo, there should be a tab page (in the project security settings) called "Anonymous users". In there you are able to configure a sign in microflow!
You can create your own log in action. I believe an example of one is available in the IP range validation app store module. After you successfully authenticate a user, you can then call a microflow.
$currentUser has an attribute entitled LastLogin, which contains the datetime stamp when the user logged in. In your home page microflow, you could see if LastLogin happened within the past 5 or 10 seconds and, if so, execute the microflow you want to execute upon login. If it happened more than 5 or 10 seconds ago, don't execute.