Simple answer is for an administrator to reset the password on the user details page and let them know. I think the default setting is that they will have to reset it when they next log in.
The “secret answer” is stored in the user object (as a password so administrators cannot see it). I have not tried it, but you may be able to add that to the user details page and reset that.
If this user is typical of your users you may want to consider a new authentication flow, with a new password reset flow that sends SMS or email to reset the password, without asking for the security question… You cannot edit the default ones, you will have to duplicate them (then edit the reset flow in the new login flow), and then set the new flows for each of your interfaces.