Cybersecurity Fundamentals Chapter 3

Questions and Answers

What is the primary purpose of allowing temporary password use for system logons?

• To improve system security permanently
• To enhance user experience
• To facilitate immediate change to a permanent password (correct)
• To simplify the authentication process

Which of the following is classified as a dynamic biometric authentication method?

• Face recognition
• Voice pattern (correct)
• Retina scan
• Fingerprint

What does multifactor authentication (MFA) require from a user?

• Only possession of a token
• One piece of evidence for verification
• A password shared with the system admin
• Two or more pieces of evidence for verification (correct)

Which level of Identity Assurance Level (IAL) requires physical presence for identity proofing?

IAL3 (B)

What type of passwords should be stored and transmitted according to best practices?

Cryptographically-protected passwords (B)

Which of the following is NOT a mean of authenticating a user's identity?

Something the individual imagines (B)

At which Authenticator Assurance Level (AAL) is some assurance of authentication provided via user-supplied ID and password?

AAL1 (A)

Which of the following best describes static biometrics?

Physical features verified at one time (D)

What is digital identity defined as?

A unique representation of a subject engaged in an online transaction. (A)

Which of the following is a basic security requirement for user authentication?

Authenticate the identities of users, processes, or devices. (D)

What is multifactor authentication primarily used for?

To enhance access control for privileged accounts. (D)

Which security measure is intended to prevent the reuse of identifiers?

Defining a period during which identifiers cannot be reused. (C)

What does enforced password complexity imply?

Passwords should include a minimum length and varied characters. (B)

What is the purpose of replay-resistant authentication mechanisms?

To deter unauthorized users from accessing systems multiple times. (A)

What is a consequence of having a defined period of inactivity for identifiers?

Identifiers are disabled to enhance security. (C)

Which of the following statements about password reuse is true?

Prohibiting password reuse for a specified number of generations enhances security. (C)

What ensures that the contactless RF chip in the eID card cannot be accessed without authorization?

Password Authenticated Connection Establishment (PACE) (B)

Which method is commonly used to generate a time-based one-time password (TOTP)?

HMAC with a hash function (A)

What is the risk associated with a one-time password (OTP) device?

The secret key is vulnerable to interception (B)

In which scenario is the machine-readable zone (MRZ) primarily used?

To establish offline access with a card access number (C)

What should systems using time-based OTP accommodate for successful authentication?

Clock drift between token and system (D)

Which component of an OTP device is crucial for securely generating the password?

Tamper-resistant module (B)

What is the purpose of the personal identification number (PIN) in the context of eID cards?

To provide confidential access to the RF chip (C)

What distinguishes single-factor authentication from other methods?

It typically involves only one form of verification (A)

What function does the eID PIN serve in online applications?

It functions as a signature key for electronic signatures. (C)

Which of the following data can be accessed or read by eID functions?

Date and place of birth (A)

What is the purpose of the electronic signature creation in eID?

To certify user transactions and identity. (A)

What information would be typically included in an eID revocation query?

Validity of an ID or certification status (A)

Which of the following is NOT a function of eID?

Social media management (A)

What is one of the uses of the signature key in electronic signatures?

To verify authenticity of documents. (B)

In the context of eID, what does 'PAC E Password' refer to?

A password required to access the electronic signature creation function. (D)

Which of the following options relates to community ID verification in eID functions?

It checks the ID for expiration date. (D)

What is a potential disadvantage of using mobile authentication apps?

Phone might be lost or stolen (C)

Which attack method specifically targets a mobile user's access to their authentication?

SIM swap attack (C)

What unique characteristic is NOT used in biometric authentication?

Password strength (B)

What type of protocol is generally used to enhance security during remote user authentication?

Challenge-response protocol (B)

Which of the following is a challenge faced specifically by remote user authentication?

Increased complexity and security threats (B)

What is a common defense against password guessing attacks?

Use of larger entropy and limited attempts (C)

What type of attack attempts to disable a user authentication service through an overload?

Denial of Service (A)

Which biometric matching method is considered technically complex and expensive?

Biometric authentication (C)

What is a risk associated with attackers using fake mobile towers?

Intercepting SMS messages (A)

In the context of client attacks, what is a common method attackers use to achieve unauthorized access?

Spoofing user credentials (C)

Study Notes

Digital User Authentication Principles

• Digital identity is a unique representation of a subject in online transactions (NIST SP 800-63-3).
• Digital user authentication determines the validity of authenticators claiming a digital identity.
• Basic security requirements include identifying users, authenticating identities, and employing multifactor authentication (MFA).

Password-Based Authentication

• Requires users to authenticate with something they know, such as a password or PIN.
• Security measures include enforcing complexity, preventing reuse, and disabling inactive accounts.

Token-Based Authentication

• Users authenticate with something they possess, like a smartcard or electronic keycard.
• One-time passwords (OTP) generated by devices increase security for transactions.
• Alternatives like time-based OTP (TOTP) rely on algorithms and a secure clock, but vulnerable to clock drift issues.

Biometric Authentication

• Utilizes unique physical characteristics (e.g., fingerprints, facial recognition) for user authentication.
• Technically complex and expensive compared to traditional methods, yet provides heightened security.

Multifactor Authentication (MFA)

• MFA involves using two or more factors for identity verification, such as passwords combined with tokens or biometrics.
• Enhances security compared to single-factor authentication methods.

Assurance Levels for User Authentication

• Identity Assurance Levels (IAL) define certainty in identity proofing:
  • IAL1: No link to real identity required.
  • IAL2: Evidence of identity through remote or in-person proofing.
  • IAL3: Physical presence is needed for proofing.
• Authenticator Assurance Levels (AAL) gauge authentication strength:
  • AAL1: User ID and password provide some assurance.
  • Higher levels require stronger proof mechanisms.

Security Issues for User Authentication

• User authentication is subject to attacks like eavesdropping, replay attacks, and client/host attacks.
• Common attacks include password guessing, token theft, and biometric spoofing.
• Defense strategies involve multifactor authentication, large entropy for identifiers, and rigorous password protection measures.

Remote User Authentication Challenges

• Increased complexity and vulnerability over networks due to threats like capturing passwords and replaying authentication sequences.
• Challenge-response protocols can mitigate some security risks associated with remote authentication.

Case Study: ATM Security Problems

• Small to mid-sized debit card issuers often rely on processors for core data processing and electronic funds transfer, leading to potential vulnerabilities in ATM security.

Description

This quiz covers essential concepts of user authentication, including password-based, token-based, and biometric methods. You will explore digital identity principles and prevalent security issues related to user authentication. Test your knowledge on the guidelines and best practices for ensuring secure user access.