A personal computing device, server or other type of processing device authenticates a user attempting to access a protected resource by verifying user knowledge of one or more extracted characteristics of stored information indicative of an internal operating state of that resource. The one or more extracted characteristics are characteristics that would likely be known to the user if that user had made one or more previous authenticated accesses to the protected resource. For example, the extracted characteristics may be indicative of a manner in which the user had utilized the protected resource during the one or more previous authenticated accesses to the protected resource. The processing device receives input from the user regarding the one or more extracted characteristics, and grants or denies access to the protected resource based at least in part on the input received from the user.