Abstract or Summary:
Challenge questions represent the most popular practice today for supporting account recovery. In case a user forgets their memorized password, it is hoped that they'll be able to recall the answers to their challenge questions. In theory, it seems like a good idea: the answer to the questions should be information that is already known to the user. Challenge questions are even being used to complement password authentication; in addition to a password, users are asked for the answer to one of their questions. Despite their ubiquity, we know surprisingly little about the security and usability of challenge question authentication solutions. In this short article, we review the state-of-the-art in this area.