Chapter Eight. Designing Authentication Systems with Challenge Questions

Mike Just

THAT IS YOUR MOTHER’S MAIDEN NAME?” “What is your date of birth?” Such questions are often used to authenticate an individual. The answers often represent information well known to the individual, but (one hopes) not so widely known so as to be available to a potential impersonator. These challenge questions require an individual to recall and present previously registered answers when authenticating.

In this chapter, I review the design and evaluation of authentication systems that use challenge questions and answers to identify or authenticate individuals. I pay particular attention to ensuring that the design satisfies the security, usability, and privacy requirements of the authentication system.

While systems today use challenge questions for recovering forgotten passwords, they can be used more broadly for other forms of authentication, such as routine user login. This chapter focuses on password recovery but considers other applications as appropriate.

Challenge Questions as a Form of Authentication

Most people are familiar with passwords as a form of authentication. Passwords or Personal Identification Numbers (PINs) are two examples of using “something you know” in order to authenticate. Biometrics, such as a fingerprint or voice recognition, represent “something you are,” and a physical token, such as a bank card, represents “something you have.” These three “something” categories are the common ...

Get Security and Usability now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.