This document introduces the concept of challenge/response authentication, where users are authenticated by answering a series of personal questions. It then describes a number of best practices for robust, usable deployment of challenge/response authentication techniques.
An authentication factor is a form of evidence of a user's identity. It is used by a human user to support the claim that he is the legitimate owner of a login account.
Users may authenticate, typically in the context of a login process, using one or more of the following:
Passwords and PINs are the most popular authentication technique and are an obvious example of "something a user knows." Pass-phrases are another example, consisting of multiple words rather than a single, short string of characters.
Challenge/response systems are another example of something a user knows. They typically consist of a series of personal questions, where the user is expected to know the answer to each question. As with all forms of authentication based on secrets, it is important that people other than the user in question not know the answers to the user's question.
Most computer systems authenticate users using passwords -- i.e., users type a secret word or phrase, which is compared against a stored value. Best practices for password management are beyond the scope of this document. Interested readers can read more about this topic at:
Some systems may use alternate or supplementary authentication factors -- biometric samples (voice print, finger print, iris scan, palm print, etc.); one-time-password (OTP) tokens, smart cards, etc.
In either case, a business problem arises when users have difficulty using their primary authentication method. Problems may include:
The problem that arises in each of these circumstances is a simple question: How does a self-service system or an IT support analyst reliably authenticate an end user prior to providing assistance? Clearly the primary authentication method cannot be used, since the user contacted the support organization or accessed self-help infrastructure precisely because that method did not work.
Most organizations use challenge/response authentication to authenticate users prior to providing assistance relating to their primary authentication method. The most common example of this is self-service password reset, where a user:
Access to this document requires registration. Please fill in the form below. The full document will be emailed to you automatically.