D and E are correct. It’s possible to collect facial scan data and perform

gait analysis without an enrollment process. You would use cameras to

observe subjects from a distance and collect data passively. You need a

formal enrollment process for fingerprints, retinas, irises, and palm vein

methods. Retina and iris scans need to be very close to the eye and are very

obvious. Palm vein methods require users to place their palm on a scanner.

While it’s possible to collect fingerprints passively, you still need an

enrollment process.

A is correct. This is using one-factor authentication—something you

know. The application uses the username for identification and the

password for authentication. Note that even though the application is

logging the location using Global Positioning System (GPS), there isn’t any

indication that it is using this information for authentication. Dual-factor

authentication requires another factor of authentication such as something

you are or something you have. Something you are authentication factor

refers to biometric authentication methods. The something you have

authentication factor refers to something you can hold, such as a smart card.

B is correct. A Time-based One-Time Password (TOTP) meets the

requirement of two-factor authentication (2FA). A user logs on with regular

credentials (such as a username and password), and then must enter an

additional one-time password. Some smartphone apps use HOTP and

display a new password every 30 seconds. An HMAC-based One-Time

Password (HOTP) creates passwords that do not expire until they are used.

Short message service (SMS) is sometimes used to send users a one-time

use password via email or a messaging app, but these passwords typically

don’t expire until at least 15 minutes later. Kerberos uses tickets instead of

passwords.

C is correct. A lower crossover error rate (CER) indicates a more

accurate biometric system. The false acceptance rate (FAR) and the false

rejection rate (FRR) vary based on the sensitivity of the biometric system

and don’t indicate accuracy by themselves. A higher CER indicates a less

accurate biometric system.

B is correct. A vein scan implemented with a palm scanner would be the

best solution of the available choices. The patient would place their palm on

the scanner for biometric identification, or if the patient is unconscious,

medical personnel can place the patient’s palm on the scanner. None of the

other biometric methods can be easily performed on an unconscious patient.

Gait analysis attempts to identify someone based on the way they walk. A

retina scan scans the retina of an eye, but this will be difficult if someone is

unconscious. Voice recognition identifies a person using speech recognition.

D is correct. Push notifications are user-friendly and non-disruptive.

Users receive a notification on a smartphone and can often acknowledge it

by simply pressing a button. An authentication application isn’t as user-

friendly as a push notification. It requires users to log on to the smartphone,

find the app, and enter the code. A Trusted Platform Module (TPM)

provides full drive encryption and would protect the data if someone

accessed the laptop, but it doesn’t prevent access. A hardware security

module (HSM) is a removable device that can generate and store RSA keys

used with servers. Neither a TPM nor an HSM is relevant in this question.

C is correct. Time-of-day restrictions should be implemented to ensure

that temporary workers can only access network resources during work

hours. The other answers represent good practices, but don’t address the

need stated in the question that “personnel need access to network

resources, but only during working hours.” Account expiration should be

implemented if the organization knows the last workday of these workers.

Account lockout will lock out an account if the wrong password is entered

too many times.

Password recovery allows users to recover a forgotten password or change

their password if they forgot their password. Password history remembers

previously used passwords and helps prevent users from using the same

password.