Most computer systems authenticate users using passwords -- i.e., users type a secret word or phrase, which is compared against a stored value. Best practices for password management are beyond the scope of this document. Interested readers can read more about this topic at:
Some systems may use alternate or supplementary authentication factors -- biometric samples (voice print, finger print, iris scan, palm print, etc.); one-time-password (OTP) tokens, smart cards, etc.
In either case, a business problem arises when users have difficulty using their primary authentication method. Problems may include:
The problem that arises in each of these circumstances is a simple question: How does a self-service system or an IT support analyst reliably authenticate an end user prior to providing assistance? Clearly the primary authentication method cannot be used, since the user contacted the support organization or accessed self-help infrastructure precisely because that method did not work.
Most organizations use challenge/response authentication to authenticate users prior to providing assistance relating to their primary authentication method. The most common example of this is self-service password reset, where a user: