Skip to main content


Home Challenge-response authentication

Challenge-response authentication

Challenge-response authentication definition

Challenge-response authentication is a security mechanism where to gain access to a resource, the user has to complete a challenge first, such as answering a question or giving specific information. The response is usually based on a shared secret, known data, or a cryptographic transformation.

See also: out of band authentication, password authentication protocol

Challenge-response authentication examples

  • Password-based challenge. The most basic form is a password prompt. The user has to enter the correct password to access the system.
  • Cryptographic challenge. The server sends a random number as a challenge, while the client uses a cryptographic algorithm and a secret key to encrypt and send it back as a response.
  • Time-synchronized tokens. The challenge is the current time, and the response is a code generated by a token, such as RSA SecurID, that synchronizes with the server's clock.
  • Hardware authentication. The challenge might be requesting a hardware device (like a USB security key) to prove its identity. The device responds with a pre-configured authentication code or a digitally signed message.
  • Biometric challenge. The system requests a biometric input like a fingerprint or facial scan. The user provides the biometric data, which the system compares against a stored template to verify the user's identity.
  • Security questions. The challenge is a set of pre-arranged questions the user chose in advance, such as their mother's maiden name or first pet's name.