Challenge/Response, also known as knowledge-based authentication, is a form of authentication where users verify their identities by answering “challenge” questions based on personal information about the user.
Challenge/response questions are commonly used as an authentication method for several different use cases, including self-service password or PIN resets, as an emergency access method for Windows log-on (although we don’t recommend this because it violates some security policies, such as CJIS), or as part of risk-based authentication where challenge questions must be answered if a risk threshold is met and additional verification is required.
Although challenge/response questions are relatively convenient, they must be carefully chosen and configured so as to not sacrifice security.
Good challenge questions have answers that are simple, memorable, not easily guessed, and unlikely to change, but this can be a tricky balance to strike. In addition, implementing policies—such as requiring questions to change at specific intervals, preventing response reuse, and implementing character length requirements for answers—can help strengthen question security.
This article continues our series on two-factor authentication methods, as we take a deeper dive into challenge/response authentication and its benefits and drawbacks.
How Does Challenge/Response Authentication Work?
There are two types of challenge questions: static and dynamic. Static questions present the user with a bank of predefined questions from which to choose or give the user the option to create custom challenge questions. The user then provides corresponding answers to their selected challenge questions. The number of questions a user is required to answer varies, depending on the organization’s policies.
Dynamic questions are created by harvesting public data about the user that they should know offhand, such as the street address of a previous residence or the make/model of a vehicle with which the user is associated. The user is then presented with random questions that utilize this data and must select the correct answer.
Ease of Use
Because many systems and applications already utilize challenge/response questions, users are typically familiar with how they work. Setup is quick and easy: users just select and answer a few questions. Authenticating with challenge/response questions is equally simple: users simply provide the correct answers to their preselected questions. Users don’t have to have anything in their possession or retrieve a code, and unlike passwords, users should readily know the correct answers based on the question versus having to rely solely on memory.
Low Cost to Implement and Maintain
Challenge/response questions are also low-cost and low-effort for organizations to implement. There’s no hardware to purchase and ship to users, and there’s no need to rip-and-replace existing infrastructure. Plus, time and expense don’t need to be spent training users on how to set up and use this authentication method.
Enables Self-Service and Emergency Access
Challenge/response questions are commonly used to enable self-service password resets and emergency access, which can drastically reduce an organization’s help desk burden and lead to substantial soft cost savings. Gartner estimates that 20-50 percent of all help desk calls are for password resets. The savings from eliminating these help desk calls can really add up, as Forrester estimates the cost of a single password reset to be $70. Not only do these capabilities give your help desk back time to focus on more strategic priorities, but they empower your users to resolve their own problems and get to work more quickly.
Using challenge/response provides flexibility for the company and the user. Users are able to choose questions that apply to them and that they are most likely to remember, or can even be given the option to create custom questions. Meanwhile, the company determines the questions to include in the question bank, the number of questions users are required to answer, and the number of attempts users are permitted to answer questions. Additionally, the company chooses how they want to implement challenge/response questions and whether or not to layer this method with other authentication methods for added security.
Susceptible to Social Engineering
Challenge/response questions don’t require any technical hacking to crack, making them less secure than authentication methods, like push authentication, one time passwords, and FIDO U2F tokens. Answers to challenge questions can often be found in public records or online in social media posts. For example, a Yahoo! account belonging to Sarah Palin was compromised during the 2008 election campaign when a hacker correctly answered her challenge question, “Where did you meet your spouse?”—the answer, Wasilla High School, was easily searchable online.
Furthermore, if a hacker creates their own profile or knows a user’s username, they can view the challenge questions before even trying to hack a user’s account and spend unlimited time researching answers without wasting login attempts.
Answers Can Be Guessed
Challenge/response questions tend to have logical answers—meaning there is a limited number of expected answers. This makes challenge questions individually less secure than strong passwords, which can be completely free-form. And unlike passwords, challenge question answers often remain the same over the course of a user’s life. For example, the answer to “What was your high school mascot?” isn’t ever going to change.
Family, friends, and significant others may also know or be able to easily guess answers. One study found that while participants only remembered 80 percent of their own challenge question answers, their significant others were able to correctly guess 39.5 percent without any prior knowledge of the answers.
Challenge Question Strength Varies
It can be difficult to find questions that meet the criteria of being simple, memorable, not easily guessed, and constant. As a result, many challenge questions fall short, and the number of possible answers varies widely from question to question. For example, most people will answer the question “What’s your favorite color?” with one of the ten primary or secondary colors, whereas “What was your favorite teacher’s name?” is more open-ended with many more possible answers. Self-selected questions tend to be especially weak, as users often choose easily guessed questions with equally simple answers because they are easier to remember.
Even when the company provides users with challenge question options, companies tend to use similar pools of questions. This allows hackers to be familiar with typical questions and even maintain lists of common answers.
Potential Privacy Issues
Some challenge questions may be perceived as too probing by users, leading to upset or hesitant customers. Dynamic challenge questions, for example, use mined data from a variety of sources, including credit bureau information. Alternatively, static questions may come off as too personal, leading users to ask why they must provide such information to a company.
Can Slow Down the Login Process
Some users may find the challenge questions presented to be too difficult to answer or remember, leading to login issues. A Google study found that only 47 percent of people could remember what they put down as their favorite food a year earlier. Furthermore, answers have to be entered exactly the same way they were initially entered, so even if a user knows the correct answer, he or she might struggle to figure out the correct capitalization, spacing, spelling, etc.
Not All Questions Apply
Users may have issues finding questions that apply to them. For example, asking for the name of a favorite childhood pet excludes users who never owned one growing up. According to one Microsoft study, as many as 15 percent of challenge questions don’t apply to the general public.
Is Challenge/Response Right for Your Organization?
Challenge/response questions are often the go-to authentication method for self-service password resets, facilitating emergency access, and risk-based authentication. It’s easy to see why; they offer a lot of benefits, including increased user convenience, easy setup and maintenance, and cost-effectiveness.
However, organizations considering this method also need to consider the risks, such as answers being guessable or uncovered through social engineering. It’s important to implement challenge/response questions without introducing a weak link in your organization’s security program.
We recommend using challenge/response questions as a fallback when internet or WiFi are unavailable, as questions don’t require technical hacking to crack. For other scenarios, more secure options, such as push authentication, one time passwords, or FIDO U2F tokens, may be a better fit. Choosing an authentication platform that offers this flexibility and breadth of choice can make this a reality.