Uses for Challenge/Response Authentication
Most computer systems authenticate users using passwords -- i.e., users type a secret word or phrase, which is compared against a stored value. Best practices for password management are beyond the scope of this document. Interested readers can read more about this topic at:
Some systems may use alternate or supplementary authentication factors -- biometric samples (voice print, finger print, iris scan, palm print, etc.); one-time-password (OTP) tokens, smart cards, etc.
In either case, a business problem arises when users have difficulty using their primary authentication method. Problems may include:
- Forgotten passwords.
- Inadvertently triggered intruder lockouts.
- Expired passwords.
- Lost or damaged OTP tokens or smart cards.
- Malfunctioning or unavailable biometric sampling devices.
The problem that arises in each of these circumstances is a simple question: How does a self-service system or an IT support analyst reliably authenticate an end user prior to providing assistance? Clearly the primary authentication method cannot be used, since the user contacted the support organization or accessed self-help infrastructure precisely because that method did not work.
Most organizations use challenge/response authentication to authenticate users prior to providing assistance relating to their primary authentication method. The most common example of this is self-service password reset, where a user:
- forgets or locks out his password, and is therefore unable to login;
- identifies himself;
- authenticates himself by answering a series of personal questions;
- is able to select a new password; and
- can login again using the new password.