Authentication Flashcards
Which authentication protocol is used by Microsoft Active Directory Domain Services?
802.1x
Kerberos
RADIUS
Kerberos
The Kerberos network authentication protocol is used by Microsoft Active Directory Domain Services (AD DS)
Your organization requires a method for desktop computers to verify that the machine boots only with trusted operating systems. Which firmware components must be present to meet this requirement? (Choose two.)
EAP
HSM
UEFI
TPM
UEFI
TPM
When a computer system is turned on, the first firmware instructions executed are either the Basic Input Output System (BIOS) or the newer Unified Extensible Firmware Interface (UEFI) standard that supports security features such as secure boot and larger storage devices. When secure boot is enabled, only trusted operating systems (OSs) that have not been tampered with, such as with malware infected OS boot files, are allowed to start on the computer. Trusted Platform Module (TPM) is a firmware chip within a computing device that ensures device boot integrity as well as storing cryptographic keys used to encrypt storage devices
Which configuration option enhances the user authentication process?
HSM
SSO
MFA
MFA
Multifactor authentication (MFA) uses two or more identity validation methods, each from different categories, such as a username and password (something you know) and a key fob (something you have)
Which term best embodies a centralized network database containing user account information?
OpenID
SAML
Directory service
Directory service
A directory service, such as Microsoft Active Directory, serves as a central network database containing objects such as users, groups, applications, and various network configurations. In the current era of cloud computing, directory services can be hosted in the cloud without having to configure servers manually to support the directory service, and the cloud-based directory service can be synchronized with an on-premises directory service
Which authentication example is considered multifactor authentication?
Username, password
Smartcard, key fob
Username, password, fingerprint scan
Username, password, fingerprint scan
Multifactor authentication uses two or more identity validation methods, each from different categories, such as a username and password (something you know) and a fingerprint scan (something you are). “Something you are” refers to biometric authentication, which can also include authentication through other unique personal characteristics related to face geometry, voice pattern, retinal and iris scans, as well as unique palm or finger vein patterns
When authenticating to your cloud account, you must supply a username, password, and a unique numeric code supplied from a smartphone app that changes every 30 seconds. Which term is used to describe the changing numeric code?
SMS
TOTP
Virtual smartcard
TOTP
A time-based one-time password (TOTP) derives randomness from the current time in which it is generated and normally expires within a short period of time such as 30 seconds, as opposed to a static, unchanging code that does not expire. The closely related HMAC-based one-time password (HTOP) is technique whereby a client device is synchronized with a server and uses this to generate a unique code instead of the current time. TOTPs are normally transmitted out-of-band on a different device such as through a smartphone app (something you have) when a user attempts to authenticate with a username and password (something you know) using a different device such as a laptop thus constituting multifactor authentication
Which authentication protocol transmits user sign-in credentials in plain text over the network?
CHAP
TACACS+
PAP
PAP
The Password Authentication Protocol (PAP) is an older authentication standard that passes credentials over the network in clear text format, meaning that capturing those network transmissions reveals user credentials. PAP was often used for remote authentication such as for Point-to-Point Protocol (PPP) and virtual private network (VPN) connections
Your organization is creating a web application that generates animated video from story text. Instead of requiring users to create an account with your organization before using the app, you want to enable users to sign in using their existing Google or Facebook accounts. What type of authentication is this?
Attested
Token key
Federated
Federated
Identity federation solutions use a centralized user identity store, eliminating the need for users to create and maintain user accounts for multiple web sites
Which security hardware can be used for multifactor authentication?
Token key
TPM
HSM
Token key
A token key refers to a hardware device used for IT system authentication (something you have) that generates a unique value used in addition to other authentication factors such as a username and password (something you know)
Which term best describes a user authenticating to a service and receiving a unique authentication code via a phone call?
Token key
Out-of-band authentication
Federation
Out-of-band authentication
Out-of-band authentication is used with multifactor authentication. An example is a user initiating logging in to a web site using a laptop computer where an authentication code is sent to the user’s smartphone and is required to complete authentication
Which type of authentication method measures the motion patterns of a person’s body movement?
SAML
Biometric
Gait analysis
Gait analysis
Gait analysis measures the way a person moves and can be used as an authentication measure
A user complains that her new laptop occasionally does not allow fingerprint authentication. Which term best describes this situation?
Crossover error rate
False acceptance
False rejection
False rejection
An authentication system’s rejection of legitimate authentications is referred to as a false rejection rate (FRR). An example would be a 5 percent rejection rate, based on facial recognition authentication that does not correctly identify a user’s face
A travelling employee is unable to authenticate to a corporate custom web application that is normally accessible when he’s at home. What type of authentication is in place or the custom web application?
Biometric
Federated
Geolocation
Geolocation
Geolocation is a form of authentication (where you are) that checks where a connection is originating from. Some web sites will not allow access to users who travel to foreign countries and attempt to log in to a web site
Which of the following represents the correct sequence in which AAA occurs?
Authorization, authentication, accounting
Authentication, authorization, accounting
Accounting, authentication, authorization
Authentication, authorization, accounting
AAA refers to authentication (proving of one’s identity) which occurs first, followed by authorization (being granted resource access), and finally accounting (logging and auditing resource access). Centralized authentication systems such as RADIUS are AAA systems
You have configured your smartphone authentication such that, using your finger, you connect points on a picture. Which type of authentication category does this apply to?
Something you are
Something you know
Something you do
Something you do
“Something you do” is an authentication category that includes actions such as drawing points on a picture using your finger
You have forgotten your login credentials for a secure web site. The forgotten password mechanism on the site prompts you to enter your PIN before selecting a help desk user that will supply you with a reset code. Which type of forgotten password authentication mechanism is at work here?
Something you are
Somewhere you are
Someone you know
Someone you know
“Someone you know” is an authentication mechanism often used when resetting forgotten passwords, whereby a user must selecting a “helper” user that is trusted by the system to supply some kind of authentication detail, such as a unique user PIN, to enable password resets
Cloud technicians in your organization have linked your on-premises Microsoft Active Directory domain to a cloud-based directory service. What benefit is derived from this configuration?
Multifactor authentication can be enabled.
User authentication will occur faster.
Users can authenticate to cloud apps using their on-premises credentials.
Users can authenticate to cloud apps using their on-premises credentials.
Cloud directory synchronization solutions such as Microsoft Azure’s AD Connect link to an on-premises directory service such as Microsoft Active Directory. This enables users to sign in to cloud apps using their familiar on-premises credentials
Which of the following is an example of authentication?
Accessing a secured part of a web site
Writing a log entry when users access sensitive files
Supplying a username and password
Supplying a username and password
Username and password (something you know) can be provided to authenticate a user and grant resource access
Users complain that they cannot use different usernames and passwords for all of the web applications they use because there are too many to remember, so they use the same username and password for all of the web apps. You need to ensure that users maintain unique usernames and complex passwords for all web apps while minimizing user frustration. What should you deploy for users?
TPM
Token key
Password vault
Password vault
A password vault is an encrypted password store used by password manager software that can store usernames and passwords for applications and web sites the user accesses
A malicious user has removed an encrypted drive from a TPM-enabled system and connected it to his own TPM-enabled computer. What will the outcome be?
The malicious user will have full access to the drive contents.
The malicious user will be unable to access the drive contents.
The drive contents will be erased automatically.
The malicious user will be unable to access the drive contents.
TPM is firmware that can store cryptographic keys used to protect data at rest. If the encrypted drive is moved to a different computer, then the correct decryption key is unavailable, resulting in the user being unable to access the drive contents
Which fact is specific to the Challenge Handshake Authentication Protocol (CHAP)?
Passwords are sent over the network in encrypted form.
Passwords are sent over the network in plaint text.
Passwords are never sent over the network.
Passwords are never sent over the network.
CHAP is an authentication standard that uses a three-way handshake whereby the hashing of a secret known on both ends of the connection is verified without ever sending that secret over the network
How does OAuth determine whether a user is permitted to access a resource?
PKI certificate
One-time password
Access token
Access token
Upon successful authentication, the OAuth protocol uses a token (and not the original credentials) generated by a trusted identity provider that represents an authenticated user or device to grant resource access, such as to a web application
After successful authentication, which method can be used to transmit authorization details to a resource provider to grant resource access?
Kerberos
SAML
MFA
SAML
The Security Assertion Markup Language (SAML) standard is used to transmit authentication and authorization messages between users, centralized identity providers, and resource providers that trust the identity providers
Which statements regarding OAuth are correct? (Choose two.)
OAuth passes encrypted user credentials to a resource provider.
OAuth tokens are issued by a resource provider.
OAuth tokens are consumed by a resource provider.
OAuth does not handle authentication.
OAuth tokens are consumed by a resource provider.
OAuth does not handle authentication.
After successful authentication, the OAuth protocol uses a token (and not the original credentials) generated by a trusted identity provider that represents an authenticated user or device to grant resource access, such as to a web application. The web application is a resource provider that would consume the token to grant access
You need to configure VPN authentication methods that use PKI certificates. Which VPN configuration option should you choose?
PAP
CHAP
EAP
EAP
The Extensible Authentication Protocol (EAP) is a framework that allows for the use of many different types of wired and wireless network authentication methods, including for VPN access
To secure VPN access, you need a solution that will first authenticate devices before allowing network access. Which authentication standard does this apply to?
OAuth
MFA
IEEE 802.1x
IEEE 802.1x
IEEE 802.1x is the port-based NAC standard. This requires devices to be authenticated before being granted wired or wireless network access
You do not want authentication handled by wireless access points in your network. What should you configure?
RADIUS server
OAuth
SSO
RADIUS server
RADIUS is a protocol that uses a centralized authentication server to grant network access. Edge devices such as wireless access points and network switches are configured to forward network connection requests to the RADIUS server
Which authentication standard is directly related to identity federation?
Kerberos
CHAP
OpenID
OpenID
The OpenID standard is an identity federation solution that uses a centralized user identity store, eliminating the need for users to create and maintain user accounts for multiple web sites
