Authentication

Question 1

Which authentication protocol is used by Microsoft Active Directory Domain Services?

802.1x

Kerberos

RADIUS

Answer 1

Kerberos

The Kerberos network authentication protocol is used by Microsoft Active Directory Domain Services (AD DS)

Question 2

Your organization requires a method for desktop computers to verify that the machine boots only with trusted operating systems. Which firmware components must be present to meet this requirement? (Choose two.)

EAP

HSM

UEFI

TPM

Answer 2

UEFI

TPM

When a computer system is turned on, the first firmware instructions executed are either the Basic Input Output System (BIOS) or the newer Unified Extensible Firmware Interface (UEFI) standard that supports security features such as secure boot and larger storage devices. When secure boot is enabled, only trusted operating systems (OSs) that have not been tampered with, such as with malware infected OS boot files, are allowed to start on the computer. Trusted Platform Module (TPM) is a firmware chip within a computing device that ensures device boot integrity as well as storing cryptographic keys used to encrypt storage devices

Question 3

Which configuration option enhances the user authentication process?

HSM

SSO

MFA

Answer 3

MFA

Multifactor authentication (MFA) uses two or more identity validation methods, each from different categories, such as a username and password (something you know) and a key fob (something you have)

Question 4

Which term best embodies a centralized network database containing user account information?

OpenID

SAML

Directory service

Answer 4

Directory service

A directory service, such as Microsoft Active Directory, serves as a central network database containing objects such as users, groups, applications, and various network configurations. In the current era of cloud computing, directory services can be hosted in the cloud without having to configure servers manually to support the directory service, and the cloud-based directory service can be synchronized with an on-premises directory service

Question 5

Which authentication example is considered multifactor authentication?

Username, password

Smartcard, key fob

Username, password, fingerprint scan

Answer 5

Username, password, fingerprint scan

Multifactor authentication uses two or more identity validation methods, each from different categories, such as a username and password (something you know) and a fingerprint scan (something you are). “Something you are” refers to biometric authentication, which can also include authentication through other unique personal characteristics related to face geometry, voice pattern, retinal and iris scans, as well as unique palm or finger vein patterns

Question 6

When authenticating to your cloud account, you must supply a username, password, and a unique numeric code supplied from a smartphone app that changes every 30 seconds. Which term is used to describe the changing numeric code?

SMS

TOTP

Virtual smartcard

Answer 6

TOTP

A time-based one-time password (TOTP) derives randomness from the current time in which it is generated and normally expires within a short period of time such as 30 seconds, as opposed to a static, unchanging code that does not expire. The closely related HMAC-based one-time password (HTOP) is technique whereby a client device is synchronized with a server and uses this to generate a unique code instead of the current time. TOTPs are normally transmitted out-of-band on a different device such as through a smartphone app (something you have) when a user attempts to authenticate with a username and password (something you know) using a different device such as a laptop thus constituting multifactor authentication

Question 7

Which authentication protocol transmits user sign-in credentials in plain text over the network?

CHAP

TACACS+

PAP

Answer 7

PAP

The Password Authentication Protocol (PAP) is an older authentication standard that passes credentials over the network in clear text format, meaning that capturing those network transmissions reveals user credentials. PAP was often used for remote authentication such as for Point-to-Point Protocol (PPP) and virtual private network (VPN) connections

Question 8

Your organization is creating a web application that generates animated video from story text. Instead of requiring users to create an account with your organization before using the app, you want to enable users to sign in using their existing Google or Facebook accounts. What type of authentication is this?

Attested

Token key

Federated

Answer 8

Federated

Identity federation solutions use a centralized user identity store, eliminating the need for users to create and maintain user accounts for multiple web sites

Question 9

Which security hardware can be used for multifactor authentication?

Token key

TPM

HSM

Answer 9

Token key

A token key refers to a hardware device used for IT system authentication (something you have) that generates a unique value used in addition to other authentication factors such as a username and password (something you know)

Question 10

Which term best describes a user authenticating to a service and receiving a unique authentication code via a phone call?

Token key

Out-of-band authentication

Federation

Answer 10

Out-of-band authentication

Out-of-band authentication is used with multifactor authentication. An example is a user initiating logging in to a web site using a laptop computer where an authentication code is sent to the user’s smartphone and is required to complete authentication

Question 11

Which type of authentication method measures the motion patterns of a person’s body movement?

SAML

Biometric

Gait analysis

Answer 11

Gait analysis

Gait analysis measures the way a person moves and can be used as an authentication measure

Question 12

A user complains that her new laptop occasionally does not allow fingerprint authentication. Which term best describes this situation?

Crossover error rate

False acceptance

False rejection

Answer 12

False rejection

An authentication system’s rejection of legitimate authentications is referred to as a false rejection rate (FRR). An example would be a 5 percent rejection rate, based on facial recognition authentication that does not correctly identify a user’s face

Question 13

A travelling employee is unable to authenticate to a corporate custom web application that is normally accessible when he’s at home. What type of authentication is in place or the custom web application?

Biometric

Federated

Geolocation

Answer 13

Geolocation

Geolocation is a form of authentication (where you are) that checks where a connection is originating from. Some web sites will not allow access to users who travel to foreign countries and attempt to log in to a web site

Question 14

Which of the following represents the correct sequence in which AAA occurs?

Authorization, authentication, accounting

Authentication, authorization, accounting

Accounting, authentication, authorization

Answer 14

Authentication, authorization, accounting

AAA refers to authentication (proving of one’s identity) which occurs first, followed by authorization (being granted resource access), and finally accounting (logging and auditing resource access). Centralized authentication systems such as RADIUS are AAA systems

Question 15

You have configured your smartphone authentication such that, using your finger, you connect points on a picture. Which type of authentication category does this apply to?

Something you are

Something you know

Something you do

Answer 15

Something you do

“Something you do” is an authentication category that includes actions such as drawing points on a picture using your finger

Question 16

You have forgotten your login credentials for a secure web site. The forgotten password mechanism on the site prompts you to enter your PIN before selecting a help desk user that will supply you with a reset code. Which type of forgotten password authentication mechanism is at work here?

Something you are

Somewhere you are

Someone you know

Answer 16

Someone you know

“Someone you know” is an authentication mechanism often used when resetting forgotten passwords, whereby a user must selecting a “helper” user that is trusted by the system to supply some kind of authentication detail, such as a unique user PIN, to enable password resets

Question 17

Cloud technicians in your organization have linked your on-premises Microsoft Active Directory domain to a cloud-based directory service. What benefit is derived from this configuration?

Multifactor authentication can be enabled.

User authentication will occur faster.

Users can authenticate to cloud apps using their on-premises credentials.

Answer 17

Users can authenticate to cloud apps using their on-premises credentials.

Cloud directory synchronization solutions such as Microsoft Azure’s AD Connect link to an on-premises directory service such as Microsoft Active Directory. This enables users to sign in to cloud apps using their familiar on-premises credentials

Question 18

Which of the following is an example of authentication?

Accessing a secured part of a web site

Writing a log entry when users access sensitive files

Supplying a username and password

Answer 18

Supplying a username and password

Username and password (something you know) can be provided to authenticate a user and grant resource access

Question 19

Users complain that they cannot use different usernames and passwords for all of the web applications they use because there are too many to remember, so they use the same username and password for all of the web apps. You need to ensure that users maintain unique usernames and complex passwords for all web apps while minimizing user frustration. What should you deploy for users?

TPM

Token key

Password vault

Answer 19

Password vault

A password vault is an encrypted password store used by password manager software that can store usernames and passwords for applications and web sites the user accesses

Question 20

A malicious user has removed an encrypted drive from a TPM-enabled system and connected it to his own TPM-enabled computer. What will the outcome be?

The malicious user will have full access to the drive contents.

The malicious user will be unable to access the drive contents.

The drive contents will be erased automatically.

Answer 20

The malicious user will be unable to access the drive contents.

TPM is firmware that can store cryptographic keys used to protect data at rest. If the encrypted drive is moved to a different computer, then the correct decryption key is unavailable, resulting in the user being unable to access the drive contents

Question 21

Which fact is specific to the Challenge Handshake Authentication Protocol (CHAP)?

Passwords are sent over the network in encrypted form.

Passwords are sent over the network in plaint text.

Passwords are never sent over the network.

Answer 21

Passwords are never sent over the network.

CHAP is an authentication standard that uses a three-way handshake whereby the hashing of a secret known on both ends of the connection is verified without ever sending that secret over the network

Question 22

How does OAuth determine whether a user is permitted to access a resource?

PKI certificate

One-time password

Access token

Answer 22

Access token

Upon successful authentication, the OAuth protocol uses a token (and not the original credentials) generated by a trusted identity provider that represents an authenticated user or device to grant resource access, such as to a web application

Question 23

After successful authentication, which method can be used to transmit authorization details to a resource provider to grant resource access?

Kerberos

SAML

MFA

Answer 23

SAML

The Security Assertion Markup Language (SAML) standard is used to transmit authentication and authorization messages between users, centralized identity providers, and resource providers that trust the identity providers

Question 24

Which statements regarding OAuth are correct? (Choose two.)

OAuth passes encrypted user credentials to a resource provider.

OAuth tokens are issued by a resource provider.

OAuth tokens are consumed by a resource provider.

OAuth does not handle authentication.

Answer 24

OAuth tokens are consumed by a resource provider.

OAuth does not handle authentication.

After successful authentication, the OAuth protocol uses a token (and not the original credentials) generated by a trusted identity provider that represents an authenticated user or device to grant resource access, such as to a web application. The web application is a resource provider that would consume the token to grant access

Question 25

You need to configure VPN authentication methods that use PKI certificates. Which VPN configuration option should you choose?

PAP

CHAP

EAP

Answer 25

EAP

The Extensible Authentication Protocol (EAP) is a framework that allows for the use of many different types of wired and wireless network authentication methods, including for VPN access

Question 26

To secure VPN access, you need a solution that will first authenticate devices before allowing network access. Which authentication standard does this apply to?

OAuth

MFA

IEEE 802.1x

Answer 26

IEEE 802.1x

IEEE 802.1x is the port-based NAC standard. This requires devices to be authenticated before being granted wired or wireless network access

Question 27

You do not want authentication handled by wireless access points in your network. What should you configure?

RADIUS server

OAuth

SSO

Answer 27

RADIUS server

RADIUS is a protocol that uses a centralized authentication server to grant network access. Edge devices such as wireless access points and network switches are configured to forward network connection requests to the RADIUS server

Question 28

Which authentication standard is directly related to identity federation?

Kerberos

CHAP

OpenID

Answer 28

OpenID

The OpenID standard is an identity federation solution that uses a centralized user identity store, eliminating the need for users to create and maintain user accounts for multiple web sites