Challenge Response Authentication: What it is and How to Enable it

What is Challenge Response Authentication Mechanism?

Challenge Response Authentication Mechanism is also called CRAM. It refers to a set of protocols that helps validate actions to protect digital assets and services from unauthorized access. This protocol usually has two components – a question and a response – where a verifier presents a challenge to a user, who must provide a correct answer for authentication. Challenge-response protocols can be as simple as a password or a dynamically generated request.

A challenge response authentication mechanism provides businesses with an easy-to-use tool that they can use to control access to sensitive information and identify bad actors.

challenge-response authentication

Types of challenge-response mechanisms

Challenge-response authentication is not a new approach. It has been in use since the early 20th century, when the US military used a paper cryptographic system called DRYAD to authenticate radio users. In this system, users at both ends would read out numbers corresponding to a combination of letters to verify their identities.

In the digital realm, there are two main types of challenges as described below:

Static: True to their name, static challenges are protocols where responses do not change over time. These challenges allow users to select a challenge for authentication purposes. The case of ‘forgot password’ is an example of a static challenge. Here, when a user forgets the password, he can reset the password by answering a security question that he saved while setting up the account. The answers to these questions remain static, that is, they do not change over a period of time. 

Dynamic: In this approach, users must respond to a challenge presented dynamically. These dynamic challenges are based on the premise that if the user is real, he will have a valid answer to the challenge. Therefore, the answers may be different for every challenge. For instance, a one-time password (OTP) or randomly generated token that the user must input to complete the authentication process.

Examples of challenge-response authentication systems

Challenge-response authentication is a method that businesses use to stop bad actors – as well as bots and scripts – from accessing crown-jewel business assets. Commonly used challenge response authentication mechanisms are:

  • CAPTCHA: An automated method to distinguish between humans and bots, CAPTCHA is designed to prevent bots from disseminating spam, registering fake new accounts and hacking into genuine user accounts.
  • Password: A server validates the password provided by the user with the correct password.
  • Biometrics: To authenticate themselves users must provide their biometric details (such as iris or fingerprint scans) that are matched with those saved in the authentication system.
  • Salted Challenge Response Authentication Mechanism (SCRAM): A hashed challenge is used such that the password can be used only once. The server validates the user-provided hash by matching with the saved hash, protecting the password from exposure through replay or man-in-the-middle attacks.
  • SSH (Secure SHell): This is a cryptographic network protocol that facilitates secure operation of network services securely over an unsecured network. It authenticates communication sessions between servers using a public key infrastructure (PKI).
  • Password proof system: This is a cryptographic method that helps verify passwords between two users without sharing their passwords mutually.
  • Challenge-Handshake Authentication Protocol: CHAP is a three-way handshake where hash values are generated and verified between the authenticating system, challenge message, and the local system. If these hash values match, further action is allowed else the session is terminated.
  • OATH Challenge-Response Algorithm: Developed by the Initiative for Open Authentication, OCRA is a cryptographically strong challenge-response authentication protocol.
  • YubiKey: This method uses HMAC-SHA1 and Yubico OTP for authentication. In HMAC-SHA1, a string acts as a challenge and hashes the string with a stored secret, whereas Yubico OTP creates a Yubico OTP code encrypted using a stored AES key.
  • MD5: In this mechanism, the RADIUS server directs a challenge to the client, which creates an MD5 hash of the challenge and the password that the user enters. These are then sent back to the server which uses the correct plaintext password from the database to validate the MD5 hash.

Uses of challenge-response authentication

Challenge-response authentication is mainly used in the following three areas.

  • To verify passwords: When a user enters a password to log into a digital account, the password is matched with that saved on the server. In case the two passwords match, the user is successfully authenticated and allowed to continue with the onward digital journey. In case of a mismatch, appropriate countermeasures are used.
  • To distinguish between bots and humans: Bot attacks can disrupt business operations and degrade user experience. For instance, scalper bots can shop items in bulk during an online sale event, denying genuine consumers a fair chance to score a deal. Bad actors deploy bots and use stolen consumer details to complete unauthorized transactions at scale. Many businesses use challenge-response authentication for human verification to stop bots by affording consumers an opportunity to prove they are not bots. One of the common examples of human verification challenge-response authentication is CAPTCHA.

  • To train machine learning programs: Challenge-response authentication trains machine learning and artificial intelligence programs to solve complex programs. For instance, they are made to solve human verification puzzles and the outcome is matched with that of a human user. The programs learn from the feedback which improves their decision-making over time.

Limitations of challenge-response authentication

Although commonly used challenge-response authentication methods are useful in authenticating consumers, they have their own limitations. One of the most pressing problems is with passwords. Often, consumers reuse and recycle their passwords across multiple digital accounts. One successful account takeover attack can result in compromising multiple accounts. The server cannot ascertain whether the person providing the password is a genuine user or an impostor using stolen consumer details. If the impostor provides the correct password, the system will allow access to the system.

The latest CRAMs such as SCRAM use cryptography to match the hashes such that passwords are not exposed.


Challenge-response authentication refers to protocols where users provide answers in response to system-generated challenges to authenticate themselves.

Challenge-response authentication mechanisms enable businesses to identify and stop bots and automated scripts from accessing their digital assets.


The key elements of a challenge-response authentication mechanism are system-generated challenge (or question) and user response (or answer). Together the challenge and response elements help authenticate users for onward digital journeys.

Some commonly used challenge-response authentication mechanisms include CAPTCHA, Password, Biometrics, Salted Challenge Response Authentication Mechanism (SCRAM), SSH (Secure SHell), Password proof system, Challenge-Handshake Authentication Protocol (CHAP), OATH Challenge-Response Algorithm (OCRA), YubiKey, and MD5.

Traditional step-up authentication solutions are failing to stop fraud attacks at scale, without killing businesses’ conversion rates. Unlike other CRAMs, Arkose Labs adopts a ‘clear box’ approach to deliver actionable insights. It provides clear explanations for risk classifications and flexibility to segment traffic for remediation – through proprietary challenge-response technology. This combination of transparency and dynamic attack response allows fraud and security teams to confidently navigate suspicious traffic when trust signals are unclear.


Using real-time signals, the dynamic risk engine analyzes signals for suspicious behaviors. Embedded machine learning, historical attack pattern calibration, and anomaly detection help continuously improve the decision models to adapt to evolving attack tactics. The traffic is segmented according to the risk assessment to inform the challenge-response mechanism into presenting an appropriate challenge to the user.

Arkose Enforce generates 3D images in real-time which are tailored to the risk profile. Attackers cannot bypass these challenges at scale which undermines the profitability of attacks, ensuring websites and apps become less attractive for an attack.

Arkose Labs’ arsenal includes a variety of challenges including: 

  • Introductory: To help assess the legitimacy of a user never seen before on the Arkose Labs network.
  • Basic bots: To identify basic automated attacks and deploy challenges that eliminate this traffic.
  • Click-farm: To erode the returns from the attack by wasting the time, effort, and resources of click-farms with more complex challenges.
  • Proof of activity: For users who have been flagged in low-risk scenarios.
  • Proof of work: To test responses of a device using interactive requests that are invisible to users.
  • Acid test: To distinguish between trained bots and humans using randomized challenges that defeat automated solvers.