What is challenge-response authentication?

How does a challenge-response authentication work?

In its simplest form, a CRAM is composed of two components: a question and a response. The goal of the question, or challenge, is to require a response that only authorized users will know. Users who successfully answer the question are given access to whatever digital materials the CRAM safeguards.

Though this is a simple premise, the tools, knowledge and information required to pass these challenges can become quite complex. The authentication process involves these steps:

1. A user expresses interest in using a protected network or system.
2. The CRAM presents the user with a challenge, prompting a response.
3. The user attempts the challenge and enters a response.
4. The correct response allows entry; an incorrect response denies it.

Types of challenge-response questions

There are two types of challenge-response questions: static and dynamic. Each varies in terms of complexity and response variability:

• Static challenges. These are requests that can be satisfied using the same answer or process every time. Common static challenges include the password recovery questions one must answer to verify identity or the passcode for the lock screen on a smartphone.
• Dynamic challenges. These require a different answer with each attempt. Often, the challenges themselves randomly change, and the user is expected to respond. Some financial institutions provide their account holders with a small security token, a device that can either receive codes or input them. Devices like these also provide a physical element to the authentication process, which makes it even harder for cybercriminals to exploit. Dynamic challenges can help prevent man-in-the-middle attacks and replay attacks.

Challenge-response authentication isn't exclusive to digital use. In the early 20th century, the U.S. military used the DRYAD Numeral Cipher/Authentication System, a paper cryptography system, to authenticate the identities of radio users. DRYAD ensured the people on either end of a radio connection were who they said they were and not imposters.

Two individuals wanting to exchange information first read the corresponding number for a combination of letters to verify their identities. DRYAD illustrates how challenge-response methods don't have to be in the form of a question; they can be numerical or digital permutations that require a designated response.

One of the most common examples of a challenge-response protocol is password authentication. In this case, the challenge is providing the word, phrase or code that unlocks the device, network or program. Often, challenge-response authentication is the only thing preventing a criminal from accessing sensitive files, credentials and information stored in a computer system. Without CRAMs, it would be impossible to perform activities such as online banking with security confidence.

How challenge-response authentication is used

Challenge-response is a barrier used to protect assets from unauthorized users, activities, programs and internet of things devices. It forces cyberattackers to satisfy a potential series of challenges to bypass the security barrier and access materials.

For instance, a bank might use challenge-response authentication to create a multifactor authentication (MFA) process. This process uses multiple CRAMs to authenticate a user's identity.

A two-factor authentication process might require the user to have the correct password and also receive and enter a code sent to a specified email address. Another MFA approach might require a correct answer to a personal question, such as "What is your mother's maiden name?"

Login authentication isn't the only place where challenge-response authentication is used. Two other areas where CRAMs often play a role are human verification and ML training.

Human verification

When users log into a website, they're sometimes asked to complete a series of challenges to prove they're not a robot. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) technology is commonly used for this purpose. A typical challenge to verify human activity is to have the user select images that contain a specific item or object, such as a fire hydrant or traffic light.

Challenges like this are designed to block programs or bots from accessing webpages and activities and prevent other cybersecurity issues. E-commerce sites often verify users to prevent bots from buying up massive amounts of products using fraudulent or stolen information or in ways that degrade site performance.

Machine learning training

One of the greatest advantages of machine learning is its ability to complete many tasks at the same time. In cybersecurity, ML or artificial intelligence software combs systems for suspicious or dangerous behavior. Challenge-response authentication tests and trains ML models to help them solve complex problems. Some programs are given human verification puzzles, and their answers are matched and compared to those of humans. Over time, the ML program learns from human examples to inform its future decision-making.

Examples of challenge-response authentication systems

In addition to its applications for verifying users and passwords, challenge-response authentication systems can be classified by the cryptographic algorithms and techniques they use for securing the authentication process.

Challenge-response commonly incorporates the following authentication technologies:

• Secure Shell protocol. SSH uses separate public key infrastructure to authenticate communication sessions between servers. Each client authenticates using a private key that corresponds with the public key sent by the server.
• Zero-knowledge password proof systems. These use cryptographic methods to confirm to each party that they have a correct password without sharing that password.
• Challenge-Handshake Authentication Protocol. CHAP uses a three-way handshake among an authenticating system, challenge message and local system. If the hash values generated from this handshake match, then the authenticating system can permit the connection. If they don't match, it terminates the session.
• OAuth Challenge-Response Algorithm. OCRA uses a challenge-response algorithm that the Initiative for Open Authentication developed for cryptographically strong challenge-response authentication.
• Biometrics. Biometric authentication involves users proving their identities with physical attributes not shared by unauthorized users, though this process has faced certain ethical and legal challenges.
• Salted challenge-response authentication mechanism. SCRAM involves password salting, where extra data is added to the password and the cryptographic hashing of that password. A hashed and salted password is far more secure than a simple plaintext password.
• CAPTCHA. This method distinguishes humans from automated bots, ensuring certain activities, such as account creation, are exclusive to authorized human users. CAPTCHA isn't always a CRAM, but challenge-response authentication systems can incorporate this approach.

Advantages and disadvantages of challenge-response authentication

There are multiple advantages to using CRAM approaches, including the following:

• Added security layers. Strong authentication measures ensure a system is resistant to various cyberattacks. Having at least one added security layer is especially important for systems safeguarding sensitive information.
• Compliance. Challenge-response methods, such as MFA, help organizations comply with evolving laws and regulations -- especially data privacy laws -- if their systems use sensitive data.
• Data breach risk prevention. In addition to lost or stolen data in the event of a breach, an organization might experience reputational damage or legal fees as well. Challenge-response authentication is an important tool for preventing breaches before they occur.

Challenge-response authentication also comes with the following disadvantages:

• Management complexities. Challenge-response authentication adds complexities to an IT team's tasks.
• Potential for stolen credentials. Users often recycle the same passwords or similar credentials for multiple accounts; if a malicious actor steals one, multiple accounts are compromised. Servers can't detect if a login attempt with a stolen password is from a bad actor or a trusted user.
• Added resources. Because these authentication credentials aren't immune to cyberthreats, additional resources -- such as firewalls -- are required to protect IT infrastructure.

Best practices for challenge-response authentication

How well an organization implements, designs and deploys its challenge-response authentication methods has a significant effect on its overall performance. Businesses should consider the following best practices and guidelines for ensuring high-quality challenge-response authentication:

• Implement an automated enrollment system to invite users to complete their challenge-response profiles.
• Avoid questions with answers that can be guessed or researched.
• Use questions that users can remember.
• Use a combination of standardized and user-selected questions. User-generated questions are more unique and, therefore, more difficult to guess.
• Use multiple tiers of questions. Ask standard questions first and then ask user-generated questions after the first set has been correctly answered.
• Avoid asking the user to respond to more than six questions during the authentication process to discourage frustration and keep abandon rates low.
• Don't display answers to challenge questions. Doing so can expose them to malicious eavesdropping.
• Use encryption to protect all data that might be used for authentication, particularly a user's answers to personal challenge questions.
• Lock user accounts after a specified number of failed authentication attempts.

Identity management and authentication are two related yet distinct aspects of access management in IT. Learn the differences between these concepts.