Challenge-response authentication
Challenge-response authentication
Challenge-response authentication definition
Challenge-response authentication is a security mechanism where to gain access to a resource, the user has to complete a challenge first, such as answering a question or giving specific information. The response is usually based on a shared secret, known data, or a cryptographic transformation.
See also: out of band authentication, password authentication protocol
Challenge-response authentication examples
- Password-based challenge. The most basic form is a password prompt. The user has to enter the correct password to access the system.
- Cryptographic challenge. The server sends a random number as a challenge, while the client uses a cryptographic algorithm and a secret key to encrypt and send it back as a response.
- Time-synchronized tokens. The challenge is the current time, and the response is a code generated by a token, such as RSA SecurID, that synchronizes with the server’s clock.
- Hardware authentication. The challenge might be requesting a hardware device (like a USB security key) to prove its identity. The device responds with a pre-configured authentication code or a digitally signed message.
- Biometric challenge. The system requests a biometric input like a fingerprint or facial scan. The user provides the biometric data, which the system compares against a stored template to verify the user’s identity.
- Security questions. The challenge is a set of pre-arranged questions the user chose in advance, such as their mother’s maiden name or first pet’s name.