Challenge/Response, also known as Knowledge-Based Authentication, utilizes previously answered challenge questions to authenticate a user. Challenge/Response questions can be configured to be used in lieu of a password or to reset “something” a user should know, like a PIN or a password.
How Challenge/Response Questions Work With RapidIdentity MFA
During enrollment, a user makes selections from a library or predefined challenge questions or creates his or her own questions and then provides corresponding answers. The user’s answers are then encrypted and stored in the RapidIdentity Server.
Challenge/Response questions can be used as part of RapidIdentity MFA’s workflow process for Risk-Based Authentication when a user triggers the risk threshold. If the risk threshold is triggered, the user must then logon with an approved form of authentication or provide correct answers to three challenge questions. Challenge/Response may also be used with RapidIdentity as an emergency access option for Self-Service Password Reset or to reset a PIN. Additionally, Challenge/Response can be used with emergency access to immediately logon to Windows. However, this is discouraged, since it violates specific security policies, such as CJIS.
Identity Automation partners with our customers to ensure this technology is implemented in a way that does not create a weak link in an organization’s security program, while providing flexible authentication options.
Challenge/Response Question Benefits
- Can be used in lieu of a password
- Quick and easy for the user to set-up
- Very low cost to implement and maintain
- Self-service nature lowers password reset help desk calls
- Useful as an emergency access option
