This document introduces the concept of challenge/response authentication, where users are authenticated by answering a series of personal questions. It then describes a number of best practices for robust, usable deployment of challenge/response authentication techniques.
An authentication factor is a form of evidence of a user's identity. It is used by a human user to support the claim that he is the legitimate owner of a login account.
Users may authenticate, typically in the context of a login process, using one or more of the following:
- Something they know -- i.e., a secret.
- Something they have -- i.e., a physical possession.
- Something they are -- i.e., a biometric sample.
Passwords and PINs are the most popular authentication technique and are an obvious example of "something a user knows." Pass-phrases are another example, consisting of multiple words rather than a single, short string of characters.
Challenge/response systems are another example of something a user knows. They typically consist of a series of personal questions, where the user is expected to know the answer to each question. As with all forms of authentication based on secrets, it is important that people other than the user in question not know the answers to the user's question.