Digital : Authentication_FP (62249)
Software Security (4774) : SSA E1 Developer (13256)
Digital : Authentication_FP Assessment Answers (62249)
Which of the following is an advantage of using SSO?
a. Improved user experience as the user does not have to enter credentials to access every new application.
b. All the above options
c. Reduces the number of passwords to remember, secure, and manage. With SSO, a single login with user ID and password enables secure access to multiple applications.
d. Simplifies identity and access management, because a single/same identity can be centrally managed, and securely propagated to all target applications or service providers.
Answer: All the above options
Apart from typical SSO between browser-based web applications, where all can SSO be used?
a. SSO between a desktop (domain authentication) and other applications/systems accessible via web browsers from the same desktop. For example, Integrated Windows Authentication, where a user who is already logged in, can seamlessly access designated web app
b. SSO between multiple backend business services which do not have any presentation layer. For example, a web page calls service A on a server, which in turn calls service B on a different server in the same data center to perform a task. Service A has to p
c. All the above options
d. SSO between native mobile applications
Answer: All the above options
Is an application required to generate a new session after authentication?
a. Required
b. Not required
c. Mandatory if the application is deployed on multiple application servers.
Answer: Required
Which of the following types of attack is prevented by multi-factor authentication? Please choose the correct options from below list
a. Stolen credential re-use
b. Brute force
c. Automated
d. All the above options
e. Credential stuffing
Answer: All the above options
Home Realm Discovery behavior provided by Azure Active Directory enables credentials to be stored in a corporate AD. Please choose the correct options from below lists
a. FALSE
b. TRUE
Answer: TRUE
What is principal authentication? Choose the correct answer from below options
a. C) A person, computer, printer, device, or a group of these. For example, a person can be given a user ID as an identifier, which can then be used by a system to authenticate the user.
b. B) An entity that can be authenticated by a system by using the identifier associated with that entity.
c. B) and C)
d. A) An authentication mechanism in which a user enters a principal value during authentication.
e. All the above options
Answer: B) and C)
Is an application required to generate a new session after authentication? Choose the correct answer from below options
a. Required
b. Not required
c. Mandatory if the application is deployed on multiple application servers.
Answer: Required
What is SAML? Choose the correct answer from below options
a. B) Security And Markup Language
b. D) A secure SSO specification from Microsoft.
c. C) An open standard to securely exchange authentication/identity and authorization information between an identity provider and a service provider. An SAML token is based on XML.
d. A) Security Assertion Markup Language
e. A) and C)
Answer: A) and C)
Authorization can be done only after completing the identification and authentication process. Choose the correct answer from below options
a. TRUE
b. FALSE
Answer: TRUE
What is "OAuth"? Please choose the correct options from below list
a. Authentication with an "O".
b. An open standard that allows users to share personal resources stored on a site with another site, without having to share their credentials.
c. An open standard that allows users to securely share their credentials, typically username and password with other websites or entities.
d. None of the above options
Answer: An open standard that allows users to share personal resources stored on a site with another site, without having to share their credentials.
The SameSite cookie attribute enables to prevent? Please choose the correct options from below list
a. SQL injection
b. XSS
c. Server misconfiguration issues
d. Cross-origin information leakage
Answer: Cross-origin information leakage
A JWT can be stored at which of the following locations? Please choose the correct options from below list
a. sessionStorage
b. localStorage
c. severStorage
d. localStorage and sessionStorage
Answer: localStorage and sessionStorage
JWT tokens are prone to XSS attacks. Please choose the correct options from below list
a. TRUE
b. FALSE
Answer: TRUE
The processes of identification and authentication are the same. Please choose the correct options from below list
a. TRUE
b. FALSE
Answer: FALSE
In a typical "Web SSO" scenario, a secure, transient HTTP cookie can be used to exchange an SSO token between an "identity provider" and a "service provider". State True or false? Please choose the correct options from below list
a. TRUE
b. FALSE
Answer: TRUE
____________ refers to the validity of a claimed identity. Please choose the correct options from below list
a. Authorization
b. Identification
c. Authentication
Answer: Authentication
What is "SiteMinder Web Access Management"? Please choose the correct options from below list
a. All the above options
b. A product by CA Technologies to ensure cross-browser compatibility and accessibility of web applications.
c. A product by CA Technologies which has cross-platform SSO, and other web access management capabilities like centralized authentication, authorization policy enforcement, etc.
d. A product by CA Technologies used to access web sites without the need of a web browser.
Answer: A product by CA Technologies which has cross-platform SSO, and other web access management capabilities like centralized authentication, authorization policy enforcement, etc.
What is federated SSO? Please choose the correct options from below list
a. A mechanism that provides an SSO token that can be trusted for identity assertion by multiple entities across multiple identity management systems.
b. SSO across federal states of a nation.
c. None of the above options
Answer: A mechanism that provides an SSO token that can be trusted for identity assertion by multiple entities across multiple identity management systems.
In the stateless JWT authentication method, user sessions are not stored at server side. Please choose the correct options from below list
a. TRUE
b. FALSE
Answer: TRUE
Which of the following are protocols used for SSO? Please choose the correct options from below list
a. Kerberos
b. OpenID
c. SAML
d. OAuth
e. All the above options
Answer: All the above options
A JWT contains which of the following? Please choose the correct options from below list
a. header, signature, and footer delimited by
b. header, footer, and signature delimited by
c. header, payload, and signature delimited by
Answer: header, payload, and signature delimited by
Which of the following method is the best one to save a password? Please choose the correct options from below list
a. Hashed
b. Salted hash
c. Encrypted
d. Plain text
Answer: Salted hash
Is it okay to share a session ID via a URL? Please choose the correct options from below list
a. Yes, sharing a session ID is okay, as it is going only to the intended user.
b. Yes, if the application is performing URL redirecting.
c. An application must not share a session ID via a URL.
Answer: An application must not share a session ID via a URL.
What is “credential stuffing”?
a. The process wherein an application stores used passwords and prevents a user from using the last three passwords used
b. The process where stolen account credentials (usernames and/or email addresses and the corresponding passwords), mostly from a data breach are used to gain unauthorized access
Answer: The process where stolen account credentials (usernames and/or email addresses and the corresponding passwords), mostly from a data breach are used to gain unauthorized access
If you have a set of SSO-enabled applications that are accessible via different smartphones, tablets, and other smart “mobile” devices, there is a relatively higher security risk associated with SSO as compared to accessing those applications via laptops or desktops only.
a. True
b. False
Answer: True
The processes of identification and authentication are the same.
a. True
b. False
Answer: False
An SSO token is a master key to get access to multiple systems/applications with a “single” login. Therefore, it is very important to protect the master key from theft, spoofing, or forgery. What are the typical methods to protect an SSO token from various threats?
a. Implement a “source IP check”, that is, the source IP of the end-client device which was used to provide the user credentials to generate the SSO token for the first time should match the source IP of the end client device for all subsequent requests cont
b. Digitally sign the SSO token to protect against man-in-the-middle manipulations, and encrypt the token with a time-variant encryption key/algorithm. Exchange the token over SSL
c. If the SSO token is being exchanged using an HTTP cookie, set the “HttpOnly” attribute of the cookie to prevent cookie access via client-side Javascript define a server-side “timeout” for the SSO token. The token should be invalid after the timeout period
d. All the above options
e. Invalidate the SSO token on server-side for subsequent use after the user logs off from any of the SSO-enabled applications/systems, that is, after Single Sign-Off
Answer: All the above options
____________ refers to the validity of a claimed identity.
a. Identification
b. Authentication
c. Authorization
Answer: Authentication
What is “SiteMinder Web Access Management”?
a. product by CA Technologies to ensure cross-browser compatibility and accessibility of web applications
b. product by CA Technologies used to access web sites without the need of a web browser
c. product by CA Technologies which has cross-platform SSO, and other web access management capabilities like centralized authentication, authorization policy enforcement, etc.
d. All the above options
Answer: A product by CA Technologies which has cross-platform SSO, and other web access management capabilities like centralized authentication, authorization policy enforcement, etc.
Is it okay to share a session ID via a URL?
a. Yes, if the application is performing URL redirecting.
b. An application must not share a session ID via a URL.
c. Yes, sharing a session ID is okay, as it is going only to the intended user.
Answer: An application must not share a session ID via a URL.
JWT tokens are prone to XSS attacks.
a. True
b. False
Answer: True
Note: This MCQ aims to achieve a 90% accuracy rate. If you notice any errors in the answers, please comment below and contribute to reaching 100% accuracy.
----------------------
TAGS: Software Security Answers, 4774 Course Answers, IEvolve 4774, iEvolve Answers, SSA E1 Developer Assessment, 62249 Course Answers, SSA Developer, SSA E1 Developer Course Answers, iEvolve 62249 Course Answers, Software Security SSA Developer Answers, Software Security E1 Answers, Course Answers, IEvolve Course Answers.