CompTIA Security+ Sy0-601 Chapter 10
31. You do not want authentication handled by wireless access points in your network. What should you configure? A. RADIUS server B. OAuth C. SSO D. Identity federation
A. RADIUS is a protocol that uses a centralized authentication server to grant network access. Edge devices such as wireless access points and network switches are configured to forward network connection requests to the RADIUS server.
Which security hardware can be used for multifactor authentication? A. Token key B. TPM C. HSM D. Password vault
A. A token key refers to a hardware device used for IT system authentication (something you have) that generates a unique value used in addition to other authentication factors such as a username and password (something you know).
When authenticating to your cloud account, you must supply a username, password, and a unique numeric code supplied from a smartphone app that changes every 30 seconds. Which term is used to describe the changing numeric code? A. SMS B. TOTP C. Virtual smartcard D. Push notification
B. A time-based one-time password (TOTP) derives randomness from the current time in which it is generated and normally expires within a short period of time such as 30 seconds, as opposed to a static, unchanging code that does not expire. The closely related HMAC-based one-time password (HTOP) is technique whereby a client device is synchronized with a server and uses this to generate a unique code instead of the current time. TOTPs are normally transmitted out-of-band on a different device such as through a smartphone app (something you have) when a user attempts to authenticate with a username and password (something you know) using a different device such as a laptop thus constituting multifactor authentication.
Which term best describes a user authenticating to a service and receiving a unique authentication code via a phone call? A. Token key B. Out-of-band authentication C. Federation D. SAML
B. Out-of-band authentication is used with multifactor authentication. An example is a user initiating logging in to a web site using a laptop computer where an authentication code is sent to the user's smartphone and is required to complete authentication. A, C, and D are incorrect. A token key refers to a hardware device used for IT system authentication (something you have) that generates a unique value used in addition to other authentication factors such as a username and password (something you know). Identity federation solutions use a centralized user identity store, eliminating the need for users to create and maintain user accounts for multiple web sites. The SAML standard is used to transmit authentication and authorization messages between users, centralized identity providers, and resource providers that trust the identity providers.
23. A malicious user has removed an encrypted drive from a TPM-enabled system and connected it to his own TPM-enabled computer. What will the outcome be? A. The malicious user will have full access to the drive contents. B. The malicious user will be unable to access the drive contents. C. The drive contents will be erased automatically. D. The drive contents will be accessible in read-only mode.
B. TPM is firmware that can store cryptographic keys used to protect data at rest. If the encrypted drive is moved to a different computer, then the correct decryption key is unavailable, resulting in the user being unable to access the drive contents.
Which authentication protocol is used by Microsoft Active Directory Domain Services? A. 802.1x B. Kerberos C. RADIUS D. OAuth
B. The Kerberos network authentication protocol is used by Microsoft Active Directory Domain Services (AD DS).
27. After successful authentication, which method can be used to transmit authorization details to a resource provider to grant resource access? A. Kerberos B. SAML C. MFA D. OTP
B. The Security Assertion Markup Language (SAML) standard is used to transmit authentication and authorization messages between users, centralized identity providers, and resource providers that trust the identity providers. A, C, and D are incorrect. The Kerberos network authentication protocol is used by Microsoft AD DS. MFA uses two or more identity validation methods, each from different categories. An OTP is a unique code generated for use only once, an example of which would be a code sent via e-mail or SMS text when resetting a forgotten password.
28. Which statements regarding OAuth are correct? (Choose two.) A. OAuth passes encrypted user credentials to a resource provider. B. OAuth tokens are issued by a resource provider. C. OAuth tokens are consumed by a resource provider. D. OAuth does not handle authentication.
C and D. After successful authentication, the OAuth protocol uses a token (and not the original credentials) generated by a trusted identity provider that represents an authenticated user or device to grant resource access, such as to a web application. The web application is a resource provider that would consume the token to grant access. A and B are incorrect. OAuth uses tokens and does not transmit the user credentials to resource providers. OAuth tokens are generated by a trusted identity provider.
Your organization requires a method for desktop computers to verify that the machine boots only with trusted operating systems. Which firmware components must be present to meet this requirement? (Choose two.) A. EAP B. HSM C. UEFI D. TPM
C and D. When a computer system is turned on, the first firmware instructions executed are either the Basic Input Output System (BIOS) or the newer Unified Extensible Firmware Interface (UEFI) standard that supports security features such as secure boot and larger storage devices. When secure boot is enabled, only trusted operating systems (OSs) that have not been tampered with, such as with malware infected OS boot files, are allowed to start on the computer. Trusted Platform Module (TPM) is a firmware chip within a computing device that ensures device boot integrity as well as storing cryptographic keys used to encrypt storage devices. A and B are incorrect. The Extensible Authentication Protocol (EAP) is a framework that allows for the use of many different types of wired and wireless network authentication methods. A hardware security module (HSM) is a dedicated tamper-resistant device designed to store and manage cryptographic keys securely.
Which of the following represents the correct sequence in which AAA occurs? A. All AAA items occur simultaneously B. Authorization, authentication, accounting C. Authentication, authorization, accounting D. Accounting, authentication, authorization
C. AAA refers to authentication (proving of one's identity) which occurs first, followed by authorization (being granted resource access), and finally accounting (logging and auditing resource access). Centralized authentication systems such as RADIUS are AAA systems.
A user complains that her new laptop occasionally does not allow fingerprint authentication. Which term best describes this situation? A. Crossover error rate B. False acceptance C. False rejection D. Efficacy rate
C. An authentication system's rejection of legitimate authentications is referred to as a false rejection rate (FRR). An example would be a 5 percent rejection rate, based on facial recognition authentication that does not correctly identify a user's face.
24. Which fact is specific to the Challenge Handshake Authentication Protocol (CHAP)? A. Passwords are sent over the network in encrypted form. B. Passwords are sent over the network in plaint text. C. Passwords are never sent over the network. D. Passwords are combined with a one-time password to complete authentication.
C. CHAP is an authentication standard that uses a three-way handshake whereby the hashing of a secret known on both ends of the connection is verified without ever sending that secret over the network. A, B, and D are incorrect. CHAP authentication does not exhibit any of the listed characteristics.
Cloud technicians in your organization have linked your on-premises Microsoft Active Directory domain to a cloud-based directory service. What benefit is derived from this configuration? A. Multifactor authentication can be enabled. B. User authentication will occur faster. C. Users can authenticate to cloud apps using their on-premises credentials. D. User authorization will occur faster.
C. Cloud directory synchronization solutions such as Microsoft Azure's AD Connect link to an on-premises directory service such as Microsoft Active Directory. This enables users to sign in to cloud apps using their familiar on-premises credentials.
Which type of authentication method measures the motion patterns of a person's body movement? A. SAML B. Biometric C. Gait analysis D. TOTP
C. Gait analysis measures the way a person moves and can be used as an authentication measure.
A traveling employee is unable to authenticate to a corporate custom web application that is normally accessible when he's at home. What type of authentication is in place on the custom web application? A. Biometric B. Federated C. Geolocation D. Attested
C. Geolocation is a form of authentication (where you are) that checks where a connection is originating from. Some web sites will not allow access to users who travel to foreign countries and attempt to log in to a web site.
30. To secure VPN access, you need a solution that will first authenticate devices before allowing network access. Which authentication standard does this apply to? A. OAuth B. MFA C. IEEE 802.1x D. SSO
C. IEEE 802.1x is the port-based NAC standard. This requires devices to be authenticated before being granted wired or wireless network access. A, B, and D are incorrect. OAuth uses tokens and does not transmit the user credentials to resource providers. MFA uses two or more identity validation methods, each from different categories. SSO is an authentication standard that, after successful initial authentication, does not require the user to keep entering his credentials to access additional applications.
Your organization is creating a web application that generates animated video from story text. Instead of requiring users to create an account with your organization before using the app, you want to enable users to sign in using their existing Google or Facebook accounts. What type of authentication is this? A. Attested B. Token key C. Federated D. Kerberos
C. Identity federation solutions use a centralized user identity store, eliminating the need for users to create and maintain user accounts for multiple web sites.
Which authentication example is considered multifactor authentication? A. Username, password B. Smartcard, key fob C. Username, password, fingerprint scan D. Username, password, security question
C. Multifactor authentication uses two or more identity validation methods, each from different categories, such as a username and password (something you know) and a fingerprint scan (something you are). "Something you are" refers to biometric authentication, which can also include authentication through other unique personal characteristics related to face geometry, voice pattern, retinal and iris scans, as well as unique palm or finger vein patterns.
32. Which authentication standard is directly related to identity federation? A. Kerberos B. CHAP C. OpenID D. IEEE 802.1x
C. The OpenID standard is an identity federation solution that uses a centralized user identity store, eliminating the need for users to create and maintain user accounts for multiple web sites. A, B, and D are incorrect. The Kerberos network authentication protocol is used by Microsoft AD DS. CHAP is an authentication standard that uses a three-way handshake, whereby the hashing of a secret known on both ends of the connection is verified without ever sending that secret over the network. IEEE 802.1x is the port-based NAC standard. This requires devices to be authenticated before being granted wired or wireless network access.
Which authentication protocol transmits user sign-in credentials in plain text over the network? A. CHAP B. TACACS+ C. PAP D. Kerberos
C. The Password Authentication Protocol (PAP) is an older authentication standard that passes credentials over the network in clear text format, meaning that capturing those network transmissions reveals user credentials. PAP was often used for remote authentication such as for Point-to-Point Protocol (PPP) and virtual private network (VPN) connections.
You have forgotten your login credentials for a secure web site. The forgotten password mechanism on the site prompts you to enter your PIN before selecting a help desk user that will supply you with a reset code. Which type of forgotten password authentication mechanism is at work here? A. Something you are B. Somewhere you are C. Something you exhibit D. Someone you know
D. "Someone you know" is an authentication mechanism often used when resetting forgotten passwords, whereby a user must selecting a "helper" user that is trusted by the system to supply some kind of authentication detail, such as a unique user PIN, to enable password resets.
You have configured your smartphone authentication such that, using your finger, you connect points on a picture. Which type of authentication category does this apply to? A. Something you are B. Somewhere you are C. Something you know D. Something you do
D. "Something you do" is an authentication category that includes actions such as drawing points on a picture using your finger. A, B, and C are incorrect. The listed authentication categories are not related to using a finger to draw points on a picture. "Something you are" refers to biometric authentication, such as with fingerprint scans. "Somewhere you are" is a geolocation mechanism that limits where you can be to authenticate successfully to a system. "Something you know" includes common authentication factors such as knowing a username and password.
Which term best embodies a centralized network database containing user account information? A. SSO B. OpenID C. SAML D. Directory service
D. A directory service, such as Microsoft Active Directory, serves as a central network database containing objects such as users, groups, applications, and various network configurations. In the current era of cloud computing, directory services can be hosted in the cloud without having to configure servers manually to support the directory service, and the cloud-based directory service can be synchronized with an on-premises directory service.
22. Users complain that they cannot use different usernames and passwords for all of the web applications they use because there are too many to remember, so they use the same username and password for all of the web apps. You need to ensure that users maintain unique usernames and complex passwords for all web apps while minimizing user frustration. What should you deploy for users? A. HSM B. TPM C. Token key D. Password vault
D. A password vault is an encrypted password store used by password manager software that can store usernames and passwords for applications and web sites the user accesses.
Which configuration option enhances the user authentication process? A. TPM B. HSM C. SSO D. MFA
D. Multifactor authentication (MFA) uses two or more identity validation methods, each from different categories, such as a username and password (something you know) and a key fob (something you have).
29. You need to configure VPN authentication methods that use PKI certificates. Which VPN configuration option should you choose? A. PAP B. CHAP C. OAuth D. EAP
D. The Extensible Authentication Protocol (EAP) is a framework that allows for the use of many different types of wired and wireless network authentication methods, including for VPN access.
25. How does OAuth determine whether a user is permitted to access a resource? A. Username, password B. PKI certificate C. One-time password D. Access token
D. Upon successful authentication, the OAuth protocol uses a token (and not the original credentials) generated by a trusted identity provider that represents an authenticated user or device to grant resource access, such as to a web application.
21. Which of the following is an example of authentication? A. Accessing a secured part of a web site B. Writing a log entry when users access sensitive files C. Verifying that files have not been modified by unauthorized users D. Supplying a username and password
D. Username and password (something you know) can be provided to authenticate a user and grant resource access.
