Section 8.1. Challenge Questions as a Form of Authentication

8.1. Challenge Questions as a Form of Authentication

Most people are familiar with passwords as a form of authentication. Passwords or Personal Identification Numbers (PINs) are two examples of using "something you know" in order to authenticate. Biometrics, such as a fingerprint or voice recognition, represent "something you are," and a physical token, such as a bank card, represents "something you have." These three "something" categories are the common means of classifying authentication techniques. Challenge questions (and their corresponding answers), like passwords, are a form of "something you know" because they represent information that is known to an individual.

When I refer to challenge questions in this chapter, I am referring to questions and answers that are deposited or registered by an individual. For the purposes of subsequent authentication, the questions are posed to the individual who is required to repeat the original answer as his response.

An alternative form of "challenge questions" does not require the explicit deposit of information by an individual. Rather, the individual responds to questions posed by the account manager. In the case of a financial institution, for example, the individual might be asked to provide the monetary amount of his most recent transaction. I refer to such information as shared secrets, as they represent information shared a priori with the account manager.

8.1.1. Using Challenge Questions for Credential Recovery

Security credentials such as passwords and physical security tokens are issued in a variety of situations. Sometimes an initial identification step takes place in which an individual must show a passport or other identification papers. In other casesfor example, when establishing an account to read a free online newspaperindividuals identify themselves, and no efforts are made to verify a claimed identity. If an individual should forget a password or lose a security token, he might be able to recover his lost credential by re-identifying himself to the credential issuer. However, this is often inconvenient and generally requires a physical rather than an online interaction. In cases where an individual initially identified himself without providing any identification papers, re-identification may not be possible without the use of a shared secret or challenge questions.

Differing somewhat from passwords that are often memorized by an individual in support of future, routine authentication, challenge questions are most often based upon information already known to the user. While password construction might similarly rely upon information known to an individual, password rules (e.g., requirements to include both alphabetic and numeric characters) typically necessitate some additional memorization. Thus, challenge questions are particularly well-suited for credential recovery , as they do not require individuals to memorize additional information that subsequently could be forgotten.

8.1.2. Using Challenge Questions for Routine Authentication

While offering some advantage for the purpose of credential recovery, challenge questions can also be used for the day-to-day authentication of an individual. However, challenge questions may be inconvenient for day-to-day authentication for a number of reasons:

• A challenge question system may require an additional step to obtain the challenge questions . Unlike a system whereby the individual submits his username and password in one step, when questions are specific to the individual, the username must be provided first and the appropriate questions retrieved and presented to the individual for his response. Such delay may be intolerable to individuals.

• A challenge question system may choose not to obscure display of the answers. To prevent "shoulder-surfing" attacks, credentials such as passwords are often obscured (e.g., each password character is replaced with a "*" when displayed on the screen). Because challenge questions may prompt answers that include varying capitalization and punctuation, challenge question systems often allow users to enter responses unobscured.

• A challenge question system may use more than one question-answer pair. In this case, the use of multiple questions will most certainly require more time for authentication, at least when compared to password authentication.

• A challenge question system may make use of an "out-of-band" authentication step. This might require, for example, sending mail to the individual's address of record (e.g., his home address). Such a step may introduce unacceptable delay for routine authentication.

In addition, because the answers to challenge questions are not constructed in the same way as passwords (e.g., with no requirements for including punctuation, capitalization, etc.), the answers may be "dictionary searchable." By using challenge questions for routine authentication, a system may give an attacker more opportunity to validate his answer guesses. A recovery process can be controlled more easily; because recovery attempts are less frequent, each such attempt can result in a notice to the individual account owner. A poorly designed challenge question system can dramatically weaken the security of an otherwise strong password system.