Ch.8 Identity and Access Managment Flashcards
Angela has chosen to federate with other organizations to allow use of services that each organization provides. What role does Angela’s organization play when they authenticate their users and assert that those users are valid to other members of the federation?
A. Service provider
B. Relying party
C. Authentication provider
D. Identity provider
A. Service provider – Provides services but does not authenticate users.
B. Relying party – Relies on another org (the IdP) to authenticate.
C. Authentication provider – Not a standard term in federation models.
✅ D. Identity provider – Correct. Angela’s org authenticates users and asserts their identity to others.
✅ Security+ Tip
If the question says an organization authenticates its own users and then allows them to access other systems, it’s an Identity Provider (IdP).
Amitoj wants to ensure that her organization’s password policy does not allow users to reset their password multiple times until they can reuse their current password. What setting is used to prevent this?
A. Complexity
B. Length
C. Expiration
D. Age
A. Complexity – Involves special characters, not reuse limits.
B. Length – Total character count.
C. Expiration – How long until the password must be changed.
✅ D. Age – Correct. “Minimum password age” prevents immediate resets to reuse the old one.
✅ Security+ Tip
To prevent rapid password cycling, look for minimum password age — that’s handled by the Age setting.
Which of the following technologies is the least effective means of preventing shared accounts?
A. Password complexity requirements
B. Requiring biometric authentication
C. Requiring one-time passwords via a token
D. Requiring a one-time password via an application
✅ A. Password complexity requirements – Correct. This can be easily shared and doesn’t prevent shared accounts.
B. Biometric authentication – Hard to share (based on physical traits).
C. Token OTP – Tied to a device; difficult to share.
D. OTP via app – Device-specific; harder to share.
✅ Security+ Tip
Anything a user can easily share (like a password) is weaker than factors tied to something they have or are (like tokens or biometrics).
What major difference is likely to exist between on-premises identity services and those used in a cloud-hosted environment?
A. Account policy control will be set to the cloud provider’s standards
B. The cloud service will provide account and identity management services
C. Multifactor authentication will not be supported by the cloud vendor
D. None of the above
A. Account policy control… – You usually still manage your own identity policy settings in cloud platforms.
✅ B. Cloud identity services – Correct. Cloud environments often provide identity management tools like Azure AD.
C. MFA not supported – Incorrect. MFA is often more available in cloud services.
D. None of the above – Incorrect based on B.
✅ Security+ Tip
Expect to see identity management offloaded to cloud providers in hybrid or fully cloud-based environments.
Which type of multifactor authentication is considered the least secure?
A. HOTP
B. SMS
C. TOTP
D. Biometric
A. HOTP – More secure than SMS; requires hardware or synced token.
✅ B. SMS – Correct. Susceptible to SIM swapping and redirection.
C. TOTP – More secure; time-based and app-bound.
D. Biometric – Considered strong, not least secure.
✅ Security+ Tip
If a question asks about least secure MFA method, SMS is your go-to answer.
Geeta has been issued a USB security key as part of her organization’s multifactor implementation. What type of implementation is this?
A. A hard token
B. A biometric token
C. A soft token
D. An attestation token
✅ A. Hard token – Correct. USB physical security key = hard token.
B. Biometric token – Would involve fingerprints, iris, etc.
C. Soft token – App-based (e.g., Authenticator apps).
D. Attestation token – Not a standard type of MFA token.
✅ Security+ Tip
Physical devices like USB keys are classified as hard tokens.
Michelle enables the Windows picture password feature to control logins for her laptop. Which type of attribute will it provide?
A. Somewhere you are
B. Something you know
C. Something you are
D. Someone you know
A. Somewhere you are – GPS/location-based.
✅ B. Something you know – Correct. Picture password asks users to click on specific, self-defined parts of a picture. This means that clicking on those points is something you know.
C. Something you are – Biometrics.
D. Someone you know – Not an authentication factor.
✅ Security+ Tip
Anything you type, draw, or enter manually is “something you know”, not “something you are.”
What purpose would Linux file permissions set to rw-r–r– serve?
A. To allow the owner to read and write the file, and for the owner’s group and others to be able to read it
B. To allow all users to read and write the file, and for the group and owner to be able to read it
C. To allow system administrators to read and write the file, and for users and all others to be able to read it
D. To prevent reading and writing for all users, and to prevent reading by groups and a specific user
✅ A. Correct interpretation of rw-r–r–.
B. Incorrect – not everyone can write.
C. Incorrect – no such system-specific permissions here.
D. Incorrect – it allows reading, not blocking it.
✅ Security+ Tip
Memorize Linux permissions: owner–group–others → r=4, w=2, x=1 → rw-r–r– = 644.
Theresa wants to implement an access control scheme that sets permissions based on what the individual’s job requires. Which of the following schemes is most suited to this type of implementation?
A. ABAC
B. DAC
C. RBAC
D. MAC
A. ABAC – Based on user/object attributes, not job roles.
B. DAC – Owner sets access.
✅ C. RBAC – Correct. Role-based = permissions assigned by job functions.
D. MAC – Policy-defined, not user/role based.
✅ Security+ Tip
If it mentions job functions or roles, think RBAC.
Which of the following biometric technologies is most broadly deployed due to its ease of use and acceptance from end users?
A. Voice print recognition
B. Gait recognition
C. Retina scanners
D. Fingerprint scanner
A. Voice – Less reliable and less deployed.
B. Gait – Rare and mostly experimental.
C. Retina – Accurate but not user-friendly.
✅ D. Fingerprint scanner – Correct. Widely adopted due to convenience.
✅ Security+ Tip
Fingerprint scanners are the most commonly deployed biometric factor today.
Adam wants to increase his organization’s passwords resistance to attacks in the event that the password hash database is stolen by attackers. Which of the following password security settings has the largest impact on password cracking if his organization’s current passwords are 8 characters long?
A. Password complexity
B. Password length
C. Password reuse limitations
D. Preventing the use of common words in passwords
A. Complexity – Adds character types but has less impact than length.
✅ B. Length – Correct. Longer passwords = exponentially harder to crack.
C. Reuse limitations – No effect on brute force if password is leaked.
D. Common words – Good practice, but length trumps for cracking.
✅ Security+ Tip
Password length is more important than complexity for resisting brute-force attacks.
A PIN is an example of what type of factor?
A. Something you know
B. Something you are
C. Something you have
D. Something you set
✅ A. Correct. A PIN is a secret you memorize.
B. Something you are = biometrics.
C. Something you have = tokens, USB keys.
D. “Something you set” isn’t a factor category.
✅ Security+ Tip
PINs and passwords are always “something you know.”
Marie is implementing a PAM solution and wants to ensure that root passwords are available in the event of an outage. Which PAM-related tool is most likely to be useful in this situation?
A. Ephemeral accounts
B. Just-in-time permissions
C. Password vaulting
D. Token-based authentication
A. Ephemeral accounts – Temporary, not vault-related.
B. JIT permissions – Grant temporary access, not storage.
✅ C. Password vaulting – Correct. Stores and protects root/admin credentials.
D. Token-based auth – Not related to vaulting.
✅ Security+ Tip
When privileged credentials need secure storage, the answer is password vaulting.
Jill sets her files on a Windows file share to allow Fred to access the files. What type of access control system is she using?
A. Mandatory access control
B. Rule-based access control
C. Attribute-based access control
D. Discretionary access control
A. MAC – System-enforced, not user-controlled.
B. Rule-based – Rule-driven, like ACLs.
C. ABAC – Attribute-based logic.
✅ D. DAC – Correct. User sets access permissions on their own files.
✅ Security+ Tip
Users setting file/folder permissions = Discretionary Access Control (DAC).
Lisa sets up an account on a website that allows her to log in with Google. When she logs in, Google provides an access token to the website that confirms that she is who she says she is but doesn’t provide the site with her password. Which of the following technologies has she used?
A. LDAP
B. OAuth
C. MITRE
D. RADIUS
A. LDAP – Directory service, not web-based authorization.
✅ B. OAuth – Correct. Google issues a token to the site to confirm ID, without sharing the password.
C. MITRE – Not an authentication tech.
D. RADIUS – Network access protocol.
✅ Security+ Tip
If token-based access without sharing credentials is described, the answer is OAuth.
What key concept below best describes only providing the permissions necessary to perform a role?
A. Least privilege
B. Best practice
C. Ephemeral accounts
D. Mandatory access control
✅ A. Least privilege – Correct. Give only the permissions needed to do the job.
B. Best practice – Too vague.
C. Ephemeral accounts – Temporary, not about privileges.
D. MAC – Controls by policy, not job needs.
✅ Security+ Tip
Least privilege = minimum required access, nothing more.
Kyle has been asked to provide his government-issued ID as part of the creation of his user account. What process should he assume it is being used for?
A. Biometric enrollment
B. Just-in-time permission creation
C. Identity proofing
D. Federation
A. Biometric enrollment – Would require fingerprints, face scan, etc.
B. JIT permissions – Not related to onboarding.
✅ C. Identity proofing – Correct. Verifying identity using official ID.
D. Federation – Organization-level trust, not individual onboarding.
✅ Security+ Tip
Providing a government ID during account setup = Identity Proofing.
Nina has recently left her organization. What should the organization do with her account?
A. Transfer it to her replacement
B. Reprovision it for another user
C. Deprovision her account
D. Change the password and preserve the account
A. Transfer it – Not secure; new person needs a new account.
B. Reprovision it – Again, not secure.
✅ C. Deprovision her account – Correct. Remove access to prevent reuse.
D. Change password – Not sufficient for security.
✅ Security+ Tip
Always deprovision (delete/disable) accounts when employees leave to reduce risk.
A person’s name, age, location, or job title are all examples of what?
A. Biometric factors
B. Identity factors
C. Attributes
D. Account permissions
A. Biometric factors – Fingerprint, retina, etc.
B. Identity factors – Not a formal category.
✅ C. Attributes – Correct. Info like name, job title, location = identity attributes.
D. Account permissions – Defines access rights, not personal details.
✅ Security+ Tip
Attributes = descriptive info about the identity, like job title, age, or department.
What type of access control scheme best describes the Linux filesystem?
A. MAC
B. RBAC
C. DAC
D. ABAC
A. MAC – System-enforced, not owner-set.
B. RBAC – Based on job roles.
✅ C. DAC – Correct. Linux file permissions are owner-defined.
D. ABAC – Based on attributes, not direct ownership.
✅ Security+ Tip
Linux uses DAC: file owners set permissions using chmod and chown.
A developer is building a web application that integrates with a user’s cloud storage provider. Instead of asking users for their credentials, the app redirects users to the cloud provider’s login page to request access to specific folders. Which of the following technologies is the application most likely using?
A. OpenID Connect
B. SAML
C. OAuth
D. Kerberos
C. OAuth – ✅ Correct. OAuth is an authorization protocol that allows third-party apps to access user data without obtaining the user’s credentials. In this scenario, the app is requesting permission to access cloud storage through a redirect — this is exactly how OAuth works.
A. OpenID Connect – ❌ Incorrect. OpenID Connect is used for authentication, allowing users to log in using an existing identity provider (e.g., “Login with Google”), not for granting access to user data.
B. SAML (Security Assertion Markup Language) – ❌ Incorrect. SAML is primarily used in enterprise single sign-on (SSO) environments to pass authentication assertions from an identity provider to a service provider.
D. Kerberos – ❌ Incorrect. Kerberos is used in Windows domain environments to authenticate users via tickets, not for authorizing third-party app access.
✅ Security+ Tip
If the question involves a third-party app accessing user data (like calendars, storage, or emails) without asking for the user’s password, the correct answer is OAuth.
An organization partners with a third-party cloud service provider. Employees can access the provider’s services using their existing corporate credentials, even though the cloud provider is managed externally. The identity verification occurs through the organization’s identity provider, while the cloud provider grants access based on that verification. Which of the following best describes this setup?
A. Federation
B. Single sign-on (SSO)
C. LDAP
D. OAuth
A. Federation – ✅ Correct. Federation allows two separate organizations to share authentication and access information. One org (the identity provider) authenticates the user, and the other (the service provider) grants access based on that trust relationship.
B. Single sign-on (SSO) – ❌ Incorrect. While this involves reusing credentials, SSO usually occurs within the same organization, not across different organizations.
C. LDAP – ❌ Incorrect. LDAP is a directory protocol, not a method for federated access across organizations.
D. OAuth – ❌ Incorrect. OAuth can be part of federation, but on its own, it’s an authorization framework, not a complete trust-based identity system between two organizations.
✅ Security+ Tip
If the question describes a trust relationship between two organizations, where one org authenticates and the other grants access, the answer is Federation (using SAML or OAuth).
A security administrator is configuring access control on a company firewall. The administrator sets rules that allow HTTP and HTTPS traffic from internal IP ranges during business hours but blocks all other traffic by default. What type of access control model is being implemented?
A. Role-Based Access Control (RBAC)
B. Discretionary Access Control (DAC)
C. Rule-Based Access Control
D. Attribute-Based Access Control (ABAC)
A. Role-Based Access Control (RBAC)
Incorrect — RBAC assigns access based on user job roles, not specific traffic or time conditions.
B. Discretionary Access Control (DAC)
Incorrect — DAC allows owners of objects (like files) to set permissions. This scenario involves system-enforced rules, not user-controlled access.
C. Rule-Based Access Control
✅ Correct — The administrator is setting specific rules based on network protocols, IP ranges, and time of day, which are all conditions, not identities or roles.
D. Attribute-Based Access Control (ABAC)
Incorrect — ABAC makes access decisions based on user and object attributes (e.g., department = HR, clearance = Secret), not predefined firewall-style rules.
✅ Security+ Tip
If the question focuses on conditions, rules, or system-enforced logic (like ACLs or time-based restrictions), it’s testing your knowledge of Rule-Based Access Control.
A network administrator is configuring a router to restrict traffic based on specific criteria. The administrator creates a list of entries specifying which source IP addresses are allowed to communicate with the internal network over port 80 and denies all other traffic. Which of the following is being implemented?
A. Rule-Based Access Control (RuBAC)
B. Attribute-Based Access Control (ABAC)
C. Access Control List (ACL)
D. Role-Based Access Control (RBAC)
A. Rule-Based Access Control (RuBAC)
❌ Incorrect – While conceptually similar, RuBAC refers to a broader access control model. The question describes a specific, technical implementation.
B. Attribute-Based Access Control (ABAC)
❌ Incorrect – ABAC uses user or object attributes (e.g., department, clearance level) to determine access, which isn’t mentioned here.
C. Access Control List (ACL)
✅ Correct – ACLs are used on routers and firewalls to define access based on IP addresses, ports, and protocols. This is exactly what’s happening in the scenario.
D. Role-Based Access Control (RBAC)
❌ Incorrect – RBAC assigns permissions based on user job roles, which isn’t relevant in this network traffic scenario.
✅ Security+ Tip
If the scenario involves network traffic filtering based on IP addresses, ports, or protocols, the answer is almost always ACL, not RuBAC or RBAC. RuBAC is a conceptual model — ACL is the actual implementation.
