Skip to main content

Challenge/Response Authentication

This document introduces the concept of challenge/response authentication, where users are authenticated by answering a series of personal questions. It then describes a number of best practices for robust, usable deployment of challenge/response authentication techniques.


An authentication factor is a form of evidence of a user's identity. It is used by a human user to support the claim that he is the legitimate owner of a login account.

Users may authenticate, typically in the context of a login process, using one or more of the following:

  1. Something they know -- i.e., a secret.
  2. Something they have -- i.e., a physical possession.
  3. Something they are -- i.e., a biometric sample.

Passwords and PINs are the most popular authentication technique and are an obvious example of "something a user knows." Pass-phrases are another example, consisting of multiple words rather than a single, short string of characters.

Challenge/response systems are another example of something a user knows. They typically consist of a series of personal questions, where the user is expected to know the answer to each question. As with all forms of authentication based on secrets, it is important that people other than the user in question not know the answers to the user's question.

Uses for Challenge/Response Authentication

Most computer systems authenticate users using passwords -- i.e., users type a secret word or phrase, which is compared against a stored value. Best practices for password management are beyond the scope of this document. Interested readers can read more about this topic at:

Some systems may use alternate or supplementary authentication factors -- biometric samples (voice print, finger print, iris scan, palm print, etc.); one-time-password (OTP) tokens, smart cards, etc.

In either case, a business problem arises when users have difficulty using their primary authentication method. Problems may include:

  1. Forgotten passwords.
  2. Inadvertently triggered intruder lockouts.
  3. Expired passwords.
  4. Lost or damaged OTP tokens or smart cards.
  5. Malfunctioning or unavailable biometric sampling devices.

The problem that arises in each of these circumstances is a simple question: How does a self-service system or an IT support analyst reliably authenticate an end user prior to providing assistance? Clearly the primary authentication method cannot be used, since the user contacted the support organization or accessed self-help infrastructure precisely because that method did not work.

Most organizations use challenge/response authentication to authenticate users prior to providing assistance relating to their primary authentication method. The most common example of this is self-service password reset, where a user:

  1. forgets or locks out his password, and is therefore unable to login;
  2. identifies himself;
  3. authenticates himself by answering a series of personal questions;
  4. is able to select a new password; and
  5. can login again using the new password.

Please register

Access to this document requires registration. Please fill in the form below. The full document will be e-mailed to you automatically.

Your company/organization name:
Your name:
Your title:
Your work telephone number:
Your work e-mail address:
Total number of staff in your company:
Please check the information you entered above before continuing.
Click to continue:
page top page top