Exercises: Authentication
These exercises move from vocabulary to design judgment. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.
Work in your own notebook or a private repository. Where an exercise asks you to "score," "design," or "draft," there is rarely one perfect answer; the reasoning matters more than the wording. Every hands-on task assumes your own lab or accounts you are authorized to use — never someone else's login.
Part A — Factors and assurance ⭐
1.† Name the three authentication factors, give two concrete examples of each, and state the one defining weakness of each category in a single phrase.
2. Classify each as a knowledge, possession, or inherence factor: (a) a TOTP code from an authenticator app; (b) a fingerprint; (c) a PIN; (d) a FIDO2 hardware key; (e) the answer to "your mother's maiden name"; (f) an SMS one-time passcode; (g) iris geometry; (h) a smart card.
3. A vendor markets "two-factor authentication: your password and a security question." Is this genuine MFA? Explain using the independence-of-categories idea, and describe a single attack that defeats both at once.
4.† Map each login to the most fitting NIST 800-63 assurance level (AAL1 / AAL2 / AAL3) and justify: (a) password only; (b) password + push with number matching; (c) FIDO2 hardware key only; (d) password + SMS OTP; (e) a synced passkey.
5. In one or two sentences each, explain why AAL3 requires phishing resistance but AAL2 does not, and give one Meridian asset that should be protected at AAL3.
Part B — Password storage and policy ⭐⭐
6.† For each storage scheme, state whether it is acceptable for storing user passwords and why:
(a) plaintext; (b) MD5(password); (c) SHA256(password) with no salt; (d) SHA256(salt + password);
(e) bcrypt(password) with a per-user salt and a real work factor; (f) Argon2id(password).
7. Explain, with reference to the two attacks they each defeat, why both a per-user salt and a deliberately slow, memory-hard hash are required. What does each defend against that the other does not?
8.† A random 10-character password is drawn uniformly from the 94 printable ASCII symbols. A passphrase is 4 words drawn uniformly from a 7,776-word list. Compute the entropy of each in bits (use $\log_2 94 \approx 6.55$, $\log_2 7776 \approx 12.92$) and say which is stronger. Then explain why a human-chosen "P@ssw0rd1" has far less effective entropy than the formula suggests.
9. Modern NIST guidance reversed several long-standing password rules. List three old rules it now discourages or forbids, and for each give the behavioral reason the old rule backfired.
10. ⭐⭐ Find the weak policy. A bank's password policy reads: "Minimum 8 characters; must contain upper, lower, digit, and symbol; must be changed every 60 days; cannot paste into the field; security question required as the second factor." Identify every clause that contradicts modern guidance, explain why each is harmful, and rewrite the policy correctly.
Part C — MFA and its failure modes ⭐⭐
11.† Rank SMS OTP, TOTP, and push-with-number-matching from most to least phishable. For each, name one attack it resists and one attack it does not.
12. Explain a SIM-swap attack step by step, name the exact thing the attacker gains possession of, and state two controls that prevent the attack from completing a high-value transaction.
13.† Explain a push-fatigue (MFA-fatigue) attack and why every cryptographic check still "passes" during it. Then explain precisely how number matching defeats it.
14. Why does TOTP resist SIM swap when SMS OTP does not, yet both remain vulnerable to real-time phishing? Reference what is actually proven by "possession" in each case.
15. ⭐⭐⭐ Design it. A consumer service with 5 million users wants to deploy MFA but cannot assume every user owns a security key. Propose a phased plan that (a) gives some MFA to everyone quickly, (b) hardens the weakest factor against its known attacks, and (c) moves toward phishing resistance over time. Name the controls at each phase and the residual risk that remains.
Part D — Phishing-resistant MFA ⭐⭐–⭐⭐⭐
16.† Give the two independent reasons a FIDO2 signature captured by a phishing site is useless at the real site. Tie each reason to a specific step of the WebAuthn flow (Figure 16.2).
17. Distinguish passwordless from phishing-resistant. Give one method that is passwordless but phishable, and explain the single property (one phrase) that makes FIDO2 phishing-resistant.
18.† Compare a device-bound hardware security key with a synced passkey across: where the private key lives, recovery if lost, best-fit use case, and the principal residual risk. Then recommend which Meridian should use for (a) the general workforce and (b) domain administrators, and why.
19. ⭐⭐⭐ Design it. Sketch a phishing-resistant MFA rollout for Meridian's Tier 3 assets (money movement, admin, core/CDE access). Address enrollment, backup keys, the help-desk recovery path (the new soft target), and how you would detect attempts to bypass the standard. One page.
20. Explain why FIDO2's origin binding also defeats an adversary-in-the-middle (AITM) relay proxy that perfectly mirrors the real login page, when number-matched push does not.
Part E — Biometrics ⭐⭐
21.† Define FAR, FRR, and CER. Explain the tradeoff between FAR and FRR as the match threshold moves, and state which metric lets you compare two biometric systems on one number.
22. Explain why a biometric must not be used as a network secret, and describe the correct architecture (the one your phone uses) that gives you the convenience of inherence with the network security of possession.
23. ⭐⭐⭐ A startup proposes a "frictionless" login where the user's face image is uploaded to the server and matched against a stored face image on file. List every security and ethics problem with this design, and propose a redesign that achieves the same user experience safely.
Part F — Analyze this (telemetry) ⭐⭐
24.† Analyze the auth log. You are handed this illustrative excerpt (times UTC; source IPs in
documentation range 203.0.113.0/24):
03:14:01 user=jlopez@ex src=203.0.113.10 result=SUCCESS
03:14:01 user=msingh@ex src=203.0.113.55 result=FAIL reason=bad_password
03:14:02 user=awong@ex src=203.0.113.91 result=FAIL reason=bad_password
03:14:02 user=dpatel@ex src=203.0.113.12 result=SUCCESS
03:14:03 user=kobrien@ex src=203.0.113.77 result=FAIL reason=bad_password
... ~4,000 DISTINCT users in 6 minutes, ~2% SUCCESS, IPs spread across the /24 ...
(a) What attack is this most likely to be? (b) Name the two strongest indicators in the data. (c) Why will simple per-account lockout largely miss this? (d) Name the single most decisive control that makes the attack's success rate irrelevant.
25. Analyze the auth log. A different excerpt:
09:00:00 user=aadams@ex src=203.0.113.7 result=FAIL pw_fp=7B2
09:02:00 user=bbaker@ex src=203.0.113.7 result=FAIL pw_fp=7B2
09:04:00 user=cclark@ex src=203.0.113.7 result=SUCCESS pw_fp=7B2
09:06:00 user=ddavis@ex src=203.0.113.7 result=FAIL pw_fp=7B2
... one pw_fp across 300 distinct users, spaced ~2 min apart, from one source ...
(a) What attack is this, and how does its shape differ from Exercise 24? (b) Why does per-account lockout fail here specifically? (c) What detection logic would catch it, and what single set-time control would have prevented the one success?
26.† Analyze this. At 14:02 UTC a user authenticates successfully from an IP geolocating to Lagos. At 13:58 the same user authenticated successfully from Chicago. (a) Name the detection. (b) What two underlying compromises could produce this? (c) Give one benign cause of a false positive and how you'd tune for it.
27. Analyze this. Over 90 seconds, one user's phone receives 22 push-approval prompts; the 22nd is approved from a new device in a new country. (a) Name the attack. (b) Which field sequence is the indicator? (c) Name two controls — one that prevents the approval, one that detects the burst.
Part G — Write it / build it ⭐⭐–⭐⭐⭐
28.† Write the auth standard. Draft a one-page authentication standard for Meridian using AAL-by-asset-tier. Define at least four tiers (public, workforce, customer banking, money-movement/ admin), assign an AAL and the required authenticator(s) to each, and add storage and policy clauses (hashing, expiration, screening, paste/managers). State two residual risks the standard creates.
29. Write the rule. Express, in pseudocode or a SIEM-style query, a cross-account password-spray detection: alert when one password fingerprint is tried against at least N distinct accounts within a time window. Explain why grouping by password (not by account) is the key idea.
30. Find the vulnerability (secure-code review). Review this illustrative login handler and list every authentication weakness, then rewrite it correctly:
def login(username, password, db):
row = db.query("SELECT pwd FROM users WHERE name = '%s'" % username)
if row and row["pwd"] == md5(password):
return make_session(username) # no MFA, no rate limit
return None
31. ⭐⭐⭐ Respond to this incident. Meridian's SOC sees a spike of MFA prompts to a senior teller, then a successful login and an immediate password reset followed by a new authenticator enrollment from a foreign IP. Write the first five containment/response steps in order, and say which one you would do first and why.
32.† Write three rows of an authentication risk register for Meridian (risk, affected asset, likelihood 1–5, impact 1–5, score/band, proposed treatment), drawn from the attacks in this chapter and distinct from one another.
Part H — CTF-style challenge ⭐⭐⭐
33.† The "compliant" disaster. A SaaS vendor proudly tells Meridian: "We're secure — we enforce 12-character passwords with full complexity, rotate them every 30 days, and we hash with SHA-256." In a short memo, identify every place this claim is weaker than it sounds (storage and policy), explain what a database breach of this vendor would actually cost, and list the three changes that would most improve their posture, in priority order. (Part of the challenge: complexity + rotation + "we hash" can all be true and still be badly insecure.)
Part I — Interleaved & forward-looking ⭐⭐
34. (Builds on Chapter 4.) A FIDO2 login is "a digital signature over a challenge plus the origin." Using Chapter 4's vocabulary, identify which key signs, which key verifies, and why the website storing only a public key means a breach of its credential database does not expose anyone's login.
35. (Builds on Chapter 3.) Classify MFA and breach-password screening by control function (preventive/detective/corrective) and type (administrative/technical/physical). Then name one detective authentication control from this chapter and one corrective action after a takeover.
36. ⭐⭐⭐ (Sets up Chapters 17–18.) Phishing-resistant MFA pushes attackers toward the account-recovery and help-desk paths instead of the login. In half a page, predict why identity governance and access reviews (Chapter 18) and strong authorization (Chapter 17) become more important, not less, once you deploy unphishable login.
37. (Sets up Chapter 32.) Zero trust re-verifies identity continuously rather than once at the door. Give two reasons phishing-resistant authentication and short-lived, bound sessions are preconditions for zero trust to be trustworthy.
Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor.