When information systems restrict access, controlling the authentication of individuals can be extremely important to ensure that only authorized users are allowed to interface with such systems. User authentication may be required to authenticate or verify a user or device in order to, for instance, allow access, approve a transaction, reset a password, grant authority to others, allow access to a physical resource connected to the device (e.g. door lock), and the like.
Traditionally, service providers have relied on a username/password or PIN to authorize access. More recently, industry practice has veered away from reliance on such knowledge factors alone and instead moved toward multi-factor authentication. Multi-factor online authentication typically requires a user to enter a username and password, as well satisfy one or more authentication factors. There are generally three general types of authentication categories: a knowledge factor (e.g. something only the user knows, such as a password, challenge response), a possession factor (e.g. something only the user has, such as a cell phone), and an inherence factor (e.g. something only the user is, such as face/voice/fingerprint matching).
Even with multi-factor authentication, the user typically has to remember his or her username and password. Often, with an increased number of different accounts a user may have with different service providers, a user may forget knowledge based authentication information associated with the various accounts. To address this, many authentication systems are configured to enable users to reset or email passwords and provide hints to aid the user's responses to knowledge based queries.