- ATRUE
- BFALSE
Identification, Authentication and Authorization - Quiz
- AInvalidate the SSO token on server-side for subsequent use after the user logs off from any of the SSO-enabled applications/systems, that is, after Single Sign-Off.
- BDigitally sign the SSO token to protect against man-in-the- middle manipulations, and encrypt the token with a time-variant encryption key/algorithm. Exchange the token over SSL.
- CIf the SSO token is being exchanged using an HTTP cookie, set the "HttpOnly" attribute of the cookie to prevent cookie access via client-side Javascript.
- DAll the above options
- AA mechanism of digitally "signing" the information exchanged between applications/systems.
- BA mechanism which enables using single physical "signature" to do all banking transactions!
- CA mechanism that enables a user to sign-in/login/authenticate to an application/system with their credentials only once, and then seamlessly access other applications/systems available in the same domain of trust (e.g. intranet portal of an organization),
- DNone of the above options.
- AAuthentication with an "O".
- BAn open standard that allows users to share personal resources stored on a site with another site, without having to share their credentials.
- CAn open standard that allows users to securely share their credentials, typically username and password with other websites or entities.
- DNone of the above options
- AA system or entity which can verify and prove identity to other systems/entities involved in the SSO mechanism. Typically, this is also the entity that generates and verifies the SSO token.
- BA system or entity which encrypts and provides the password of a user to other systems/entities involved in the SSO mechanism so that they can re-authenticate the user.
- CNone of the above options
- AOAuth
- BKerberos
- COpenID,SAML
- DAll the above options
- ASQL injection
- BCross-origin information leakage
- CServer misconfiguration issues
- DXSS
- AThe process where users reuse the same username/password combination across multiple sites.
- BThe process where stolen account credentials (usernames and/or email addresses and the corresponding passwords). mostly from a data breach are used to gain unauthorized access
- CThe process wherein an application stores used passwords and prevents a user from using the last three passwords used.
- AA) An authentication mechanism in which a user enters a principal value during authentication.
- BB) An entity that can be authenticated by a system by using the identifier associated with that entity.
- CC) A person, computer, printer, device, or a group of these. For example, a person can be given a user ID as an identifier, which can then be used by a system to authenticate the user.
- DB) and C)
Results:
🟢 Correct Answers: 🔴 Wrong Answers:
🟢 Correct Answers: 🔴 Wrong Answers:
Login to save results
Quiz Information
Quiz Information
Quiz Platform FAQ
General Information
- Number of Questions: Each quiz consists of 10 questions.
- Time Limit: You have 30 seconds per question. The total time to complete the quiz is 5 minutes.
- Multiple Attempts: You can take the quiz multiple times to improve your score.
Results and Feedback
- Result Analysis: After completing the quiz, you will see a results page with the following details:
- Correct Option for each question.
- Your Selected Option for each question.
- Explanation for each answer to help you understand why it is correct or incorrect.
- Percentage of Correct Answers to show your overall performance.
- Interactive Features: The platform provides feedback on each attempt to help you learn and improve.
Important Instructions
- Do Not Refresh: Do not refresh the page while taking the quiz. Refreshing the page will end the current quiz and a new quiz will start.
- Saving Your Quiz: To save your quiz progress and questions, log in to your account. Once logged in, you can view saved quizzes in your profile section.
- Mandatory Selection: All questions are mandatory to select. If you do not select all 10 questions, you will not be able to submit the quiz. Once all questions are selected, you will be able to see the Submit button. If you wait until the end of the time, the quiz will be auto-submitted by the system, and you will be able to see your results.
Tips for Taking the Quiz
- Manage Your Time: Keep track of the time for each question to ensure you have enough time to answer all 10 questions.
- Review Explanations: After the quiz, read the explanations provided for each answer to enhance your understanding of the material.
- Retake the Quiz: If desired, take the quiz again to improve your score and reinforce your learning.
- Avoid Refreshing: To prevent losing progress, avoid refreshing the page during the quiz.
- Log In to Save: If you want to save your quiz progress, log in to your account and check your profile section for saved quizzes.
Quiz Analytics
Identification, Authentication and Authorization - Quiz
Guest User
Time Taken: Questions: Answered: Not Answered:
Correct Answer:
Wrong Answer:
Percentage: %
- A. TRUE
- B. FALSE
Remarks:
Explanation:
Correct option:
FALSE
Explanation:
Identification and authentication are two distinct processes:
-
Identification is the process of claiming an identity (e.g., entering a username or providing an ID). It's essentially saying, "I am [this person]."
-
Authentication is the process of verifying that the claimed identity is valid (e.g., entering a password or using biometric data). It’s the step where the system checks if the user is indeed who they claim to be.
Thus, while they are related, they are not the same.
- A. Invalidate the SSO token on server-side for subsequent use after the user logs off from any of the SSO-enabled applications/systems, that is, after Single Sign-Off.
- B. Digitally sign the SSO token to protect against man-in-the- middle manipulations, and encrypt the token with a time-variant encryption key/algorithm. Exchange the token over SSL.
- C. If the SSO token is being exchanged using an HTTP cookie, set the "HttpOnly" attribute of the cookie to prevent cookie access via client-side Javascript.
- D. All the above options
Remarks:
Explanation:
Correct option:
All the above options
Explanation:
To protect an SSO token from theft, spoofing, or forgery, multiple methods are typically employed:
-
Invalidate the SSO token on server-side after logout: This ensures that the token cannot be used for subsequent authentication once the user logs off, preventing unauthorized access.
-
Digitally sign and encrypt the token: Digital signing helps protect the token against man-in-the-middle (MITM) attacks by ensuring its integrity, while encryption adds an additional layer of protection, especially by using time-variant encryption that changes over time.
-
Set the "HttpOnly" attribute for cookies: This prevents client-side JavaScript from accessing the token stored in cookies, reducing the risk of cross-site scripting (XSS) attacks.
All of these methods collectively help ensure the security of the SSO token.
- A. A mechanism of digitally "signing" the information exchanged between applications/systems.
- B. A mechanism which enables using single physical "signature" to do all banking transactions!
- C. A mechanism that enables a user to sign-in/login/authenticate to an application/system with their credentials only once, and then seamlessly access other applications/systems available in the same domain of trust (e.g. intranet portal of an organization),
- D. None of the above options.
Remarks:
Explanation:
Correct option:
A mechanism that enables a user to sign-in/login/authenticate to an application/system with their credentials only once, and then seamlessly access other applications/systems available in the same domain of trust (e.g. intranet portal of an organization).
Explanation:
Single Sign-On (SSO) is a user authentication process that allows a user to access multiple applications or systems with a single set of login credentials (e.g., username and password). After the initial login, the user can seamlessly navigate to other applications or systems within the same trusted domain without needing to re-enter credentials.
- A. FALSE
- B. TRUE
Remarks:
Explanation:
Correct option:
TRUE
Explanation:
Authorization is the process of granting or denying access to resources or actions based on the user's identity and permissions. However, authorization can only be performed after identification (the process of identifying the user or system) and authentication (the process of verifying that the identified entity is legitimate). Without these initial steps, the system would not know who the user is or whether they should be granted access to the requested resources.
- A. Authentication with an "O".
- B. An open standard that allows users to share personal resources stored on a site with another site, without having to share their credentials.
- C. An open standard that allows users to securely share their credentials, typically username and password with other websites or entities.
- D. None of the above options
Remarks:
Explanation:
Correct option:
An open standard that allows users to share personal resources stored on a site with another site, without having to share their credentials.
Explanation:
OAuth (Open Authorization) is an open standard for access delegation. It allows users to grant third-party applications limited access to their resources (like data) on another service without sharing their credentials (such as username and password). For example, a user might allow an application to access their Google contacts, but the application would not have access to their Google password. OAuth allows this secure delegation of access through access tokens, rather than exposing the user's credentials.
- A. A system or entity which can verify and prove identity to other systems/entities involved in the SSO mechanism. Typically, this is also the entity that generates and verifies the SSO token.
- B. A system or entity which encrypts and provides the password of a user to other systems/entities involved in the SSO mechanism so that they can re-authenticate the user.
- C. None of the above options
Remarks:
Explanation:
Correct option:
A system or entity which can verify and prove identity to other systems/entities involved in the SSO mechanism. Typically, this is also the entity that generates and verifies the SSO token.
Explanation:
In an SSO (Single Sign-On) solution, the identity provider (IdP) is the entity responsible for authenticating the user and verifying their identity. It provides identity information to other systems (called service providers) by generating and verifying the SSO token or authentication assertion, which allows users to access multiple applications without needing to authenticate again.
The IdP does not necessarily encrypt or provide passwords directly to other systems; instead, it manages user credentials and authentication.
- A. OAuth
- B. Kerberos
- C. OpenID,SAML
- D. All the above options
Remarks:
Explanation:
Correct option:
All the above options
Explanation:
All of the listed protocols are commonly used for Single Sign-On (SSO):
- OpenID Connect is a protocol that works on top of OAuth 2.0, allowing users to authenticate with an identity provider.
- SAML (Security Assertion Markup Language) is an XML-based protocol that allows secure exchange of authentication and authorization data between an identity provider and a service provider.
- Kerberos is a network authentication protocol that uses secret-key cryptography for authenticating users and services.
- OAuth is a token-based protocol primarily used for authorization but can also be used as part of SSO implementations.
Thus, all of these protocols can be used for implementing SSO.
- A. SQL injection
- B. Cross-origin information leakage
- C. Server misconfiguration issues
- D. XSS
Remarks:
Explanation:
Correct option:
Cross-origin information leakage
Explanation:
The SameSite cookie attribute is designed to prevent cross-origin information leakage by controlling how cookies are sent with cross-site requests. This helps protect against cross-site request forgery (CSRF) attacks by ensuring that cookies are only sent in first-party contexts (i.e., when the user is interacting directly with the site that set the cookie).
It does not directly prevent SQL injection, server misconfiguration issues, or XSS attacks.
- A. The process where users reuse the same username/password combination across multiple sites.
- B. The process where stolen account credentials (usernames and/or email addresses and the corresponding passwords). mostly from a data breach are used to gain unauthorized access
- C. The process wherein an application stores used passwords and prevents a user from using the last three passwords used.
Remarks:
Explanation:
Correct option:
The process where stolen account credentials (usernames and/or email addresses and the corresponding passwords), mostly from a data breach, are used to gain unauthorized access.
Explanation:
Credential stuffing is a type of cyberattack where attackers use stolen account credentials (username and password pairs) from one data breach to try and gain unauthorized access to users' accounts on other websites. This works because many people reuse the same login credentials across multiple services. If attackers have access to a breached dataset, they can automate login attempts on various websites, hoping to find users who have reused their credentials.
- A. A) An authentication mechanism in which a user enters a principal value during authentication.
- B. B) An entity that can be authenticated by a system by using the identifier associated with that entity.
- C. C) A person, computer, printer, device, or a group of these. For example, a person can be given a user ID as an identifier, which can then be used by a system to authenticate the user.
- D. B) and C)
Remarks:
Explanation:
Correct option:
B) and C)
Explanation:
Principal authentication involves verifying the identity of an entity (such as a person, device, or group) based on a unique identifier associated with that entity.
- B): Refers to an entity (e.g., a user, device) being authenticated using a unique identifier.
- C): Describes how a person or entity can be authenticated by a system through the use of an identifier (like a user ID).
Option A) is not specific to principal authentication and seems unrelated to the context of this question. Therefore, B) and C) are the correct options.