Chapter 8: Identity and Access Management

Key Phrase: "authenticate their users"

Explanation:
Correct Answer (D): Angela's organization is acting as an Identity Provider (IdP) because it is authenticating users and asserting that they are valid to other federation members.
Why others are wrong:

• A: Service provider provides services, but doesn't authenticate users.

• B: Relying party trusts the IdP’s authentication assertions but doesn't authenticate itself.

• C: Authentication provider is not a formal role in federated authentication.

Key Phrase: "preventing shared accounts"

Explanation:
Correct Answer (A): Password complexity requirements do not prevent users from sharing complex passwords. Users may still share passwords that meet the complexity requirements.
Why others are wrong:

• B: Biometric authentication requires physical presence and makes sharing more difficult.

• C & D: One-time passwords (OTP via tokens or applications) are harder to share and much more effective than just requiring complex passwords.

Key Phrase: "difference between on-premises and cloud-hosted identity services"

Explanation:
Correct Answer (B): In the cloud, the provider typically offers built-in account and identity management services, whereas on-premises services may require additional setup and maintenance.
Why others are wrong:

• A: While cloud services might set account policies, that’s not the major difference.

• C: Most cloud vendors support multifactor authentication, so this is not the distinguishing factor.

D: The difference is the level of management provided by the service, not "None of the above."

Key Phrase: "prevent users from resetting their password multiple times"

Explanation:
Correct Answer (D): Password age is the setting that ensures users cannot reset their password too frequently and reuse the old one.
Why others are wrong:

• A, B, C: Complexity, length, and expiration don’t affect the ability to reset and reuse passwords, they affect password creation and lifespan.

Key Phrase: "least secure multifactor authentication"

Explanation:
Correct Answer (B): SMS-based multifactor authentication is the least secure because it can be intercepted or hijacked through methods like SIM swapping.
Why others are wrong:

• A: HOTP is more secure as it generates a unique code every time.

• C: TOTP uses time-based codes which are also more secure than SMS.

• D: Biometrics are generally more secure than SMS and harder to spoof.

Key Phrase: "USB security key"

Explanation:
Correct Answer (A): A USB security key is a hard token, a physical device that generates or stores authentication credentials.
Why others are wrong:

• B: A biometric token would involve a physical trait like a fingerprint or facial scan, not a USB key.

• C: A soft token is a digital token typically stored in an app or software.

• D: An attestation token is used to verify the integrity of a device, not a user authentication method.

Key Phrase: "Windows picture password"

Explanation:
Correct Answer (B): A picture password is something the user knows — specific gestures (like taps or swipes) on a picture.
Why others are wrong:

• A: Somewhere you are refers to location-based authentication.

• C: Something you are refers to biometrics like fingerprints or face recognition.

• D: Someone you know is not a factor used in authentication.

Key Phrase: "Linux file permissions rw-r--r--"

Explanation:
Correct Answer (A): The rw-r--r-- permission setting means the owner can read and write the file, while the group and others can only read it.
Why others are wrong:

B, C, D: These are incorrect because they misinterpret the read, write, and execute permission settings for groups and others.

Key Phrase: "permissions based on job requirements"

Explanation:
Correct Answer (C): Role-Based Access Control (RBAC) assigns permissions based on the user's role within the organization, which is typically tied to their job responsibilities.
Why others are wrong:

• A: ABAC (Attribute-Based Access Control) uses other attributes, not just the role.

• B: DAC (Discretionary Access Control) gives users control over their own access rights, not job-based roles.

• D: MAC (Mandatory Access Control) is more rigid and enforced by the system, not based on the user's role.

Key Phrase: "most broadly deployed biometric technology"

Explanation:
Correct Answer (D): Fingerprint scanners are one of the most common biometric technologies used on mobile devices and laptops, making them widely deployed.
Why others are wrong:

• A: Voiceprint recognition is used but not as widely accepted or easy to deploy as fingerprint scanners.

• B: Gait recognition is not as commonly deployed.

• C: Retina scanners are specialized and less commonly used.