The challenge-response authentication method is primarily used for one-time passwords (OTPs). Aside from OTPs, it is also utilized in protocols such as CHAP (Challenge Handshake Authentication Protocol), which is part of the PPP (Point-to-Point Protocol), and for device authentication in Wi-Fi access points.
In this method, the client (the entity being authenticated) sends an authentication request to the server (the entity performing the authentication) using credentials such as a user ID. The server responds by generating a random piece of data, known as a "challenge," and sends it to the client. At the same time, the server also precomputes the expected response based on the client's password. The client uses the challenge, along with its password, to compute a hashed value (the "response") and sends it back to the server. The server then compares the client’s response with the one it generated. If the two match, the authentication is successful.
Since the challenge generated each time is random and the corresponding response is unique, the method offers strong security by making it difficult for attackers to compromise authentication even if the exchange is intercepted. However, if the password itself is stolen, unauthorized access remains a risk.
To mitigate this risk, one-time passwords that use the challenge-response method often involve additional security measures. For instance, users input their ID and password first, but the challenge-response process occurs via a separate communication channel and device, such as a smartphone. Common methods for delivering the challenge include SMS messaging, email, or a specialized smartphone app. Because this process uses two independent factors, it is often referred to as "two-factor authentication" or "two-step verification."
F5’s BIG-IP Access Policy Manager (APM) simplifies the implementation of challenge-response OTP systems, making it easier for organizations to adopt this secure authentication method.