Quiz: Authentication

A 27-question self-check covering the chapter's factors, storage, MFA, phishing resistance, biometrics, and credential attacks. Questions tagged [Sec+] map to CompTIA Security+ and [CISSP] to the (ISC)² CISSP, so certification candidates can self-assess. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] Which combination is genuine multi-factor authentication? A. a password and a PIN B. a password and a security question C. a password and a hardware key D. two different passwords

2. [Sec+] A weakness of something you know that something you have (a hardware key) does not share is that knowledge: A. expires B. can be copied without taking anything (phished/leaked) C. is always short D. is biometric

3. The single best reason never to store passwords as MD5(password) is that it is: A. too slow B. fast and unsalted, so it falls to rainbow tables and GPU cracking C. not standardized D. illegal

4. [Sec+] A salt is added to password hashing primarily to: A. keep the password secret B. make identical passwords hash differently and defeat precomputation C. speed up verification D. satisfy compliance

5. [CISSP] NIST 800-63's AAL3 requires authenticators that are: A. memorized B. biometric C. phishing-resistant and hardware-based D. rotated every 90 days

6. Which attack does TOTP resist that SMS OTP does not? A. real-time phishing relay B. SIM swap C. credential stuffing D. push fatigue

7. [Sec+] In a push-fatigue (MFA-fatigue) attack, the attacker ultimately relies on: A. breaking the signature B. cracking the seed C. a tired user tapping "Approve" D. a SIM swap

8. The control that most directly defeats push fatigue without changing the factor is: A. longer codes B. number matching C. a CAPTCHA D. SMS fallback

9. [Sec+] FIDO2/WebAuthn is phishing-resistant because the login is: A. passwordless B. an origin-bound public-key signature with no relayable secret C. encrypted in transit D. backed by a biometric

10. In WebAuthn, the website (relying party) stores: A. the user's private key B. the user's password hash C. only the user's public key D. the biometric template

11. [CISSP] Credential stuffing exploits primarily: A. weak hashing B. password reuse across services C. SIM swapping D. expired certificates

12. Password spraying is designed specifically to evade: A. MFA B. per-account lockout C. TLS D. rate limiting per password

13. [Sec+] A biometric's most significant disadvantage versus a password is that it: A. is slower B. cannot be revoked or changed after compromise C. needs a network D. is always exact

14. "Impossible travel" detection flags: A. a slow login B. successful logins from geographically incompatible locations minutes apart C. too many password resets D. a weak password

15. [CISSP] The crossover error rate (CER) of a biometric system is the point where: A. FAR is zero B. FRR is zero C. FAR equals FRR D. throughput is maximized

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

16. "Turning on MFA of any kind makes a stolen password, by itself, insufficient to log in."

17. [Sec+] "A magic link emailed to the user is phishing-resistant because it is passwordless."

18. "Per-account lockout is an adequate defense against password spraying."

19. "A per-user salt removes the need for a slow, memory-hard hash."

20. [Sec+] "NIST now recommends forcing all users to change their passwords every 90 days."

21. "Sending a fingerprint image to a server to authenticate is a sound design if the channel is encrypted."

Section 3 — Fill in the blank (1 pt each)

22. The three authentication factor categories are something you _, something you _, and something you __.

23. [Sec+] The NIST 800-63 scale describing confidence in an authenticator is the _ assurance level, abbreviated _.

24. A _ is a FIDO2 credential used in place of a password; it may live on a hardware key or be _ across a user's devices via a cloud credential manager.

Section 4 — Short answer (2 pts each)

25. [CISSP] Explain why a password plus a security question is not genuine two-factor authentication, and name a single attack that captures both at once.

26. Distinguish credential stuffing from password spraying by their shape in an authentication log, and state which one per-account lockout fails to catch and why.

27. [Sec+] A relying party uses FIDO2. An attacker stands up a perfect look-alike phishing site and lures a user to it. Give the two independent reasons the attacker still cannot log in to the real site.

Answer Key

Click to reveal answers and explanations 1. **C** — a password (know) + a hardware key (have) are different categories; the others reuse *knowledge*. 2. **B** — knowledge can be copied (phished/leaked) without the owner losing or noticing it. 3. **B** — MD5 is fast and (as used) unsalted, so rainbow tables and GPUs crack it trivially. 4. **B** — the salt ensures uniqueness and defeats precomputation; it is not secret. 5. **C** — AAL3 requires phishing-resistant, hardware-based authenticators. 6. **B** — TOTP has no phone number to hijack, so SIM swap doesn't apply; it is still phishable by relay. 7. **C** — the attack defeats a *human*, not the crypto. 8. **B** — number matching forces the user to read a number off the genuine screen, defeating a reflexive tap. 9. **B** — origin-bound public-key signature, no relayable secret. 10. **C** — only the public key (a breach of it exposes nothing). 11. **B** — stuffing replays leaked pairs and bets on reuse. 12. **B** — spraying touches each account once or twice to slip under lockout. 13. **B** — you cannot reissue a biometric. 14. **B** — impossible travel. 15. **C** — CER is where FAR = FRR. 16. **T** — a different-category second factor renders a stolen password alone insufficient. 17. **F** — magic links are passwordless but *phishable* (relayable); passwordless ≠ phishing-resistant. 18. **F** — spraying is designed to evade per-account lockout; you need cross-account correlation. 19. **F** — salt defeats precomputation; the slow hash defeats brute-force speed — different attacks, both required. 20. **F** — NIST *discourages* routine periodic expiration; force changes only on evidence of compromise. 21. **F** — the server would be trusting the device's *report* of a biometric, creating an irrevocable central target; keep biometrics local as an unlock gesture. 22. know; have; are. 23. authenticator; AAL. 24. passkey; synced. 25. Both a password and a security-question answer are *something you know* — one category used twice — so they lack independence; a single phishing page (or a single breach) captures both. 26. Stuffing is *many distinct users × their one leaked password* (low success rate, often many IPs); spraying is *one/few common passwords × many distinct accounts* (low-and-slow). Per-account lockout fails on *spraying* because each account is touched only once, under the threshold — detection needs cross-account correlation. 27. (i) There is no relayable secret — the user produces a signature, not a code, so a fake page captures nothing reusable; (ii) origin binding — the browser binds the signature to the phishing origin, which the real site rejects (and the authenticator holds no key registered for the look-alike domain). **Topics to review by question:** missed 1–2, 25 → §16.1; 3–4, 19 → §16.2 (storage); 5, 23 → §16.1 (AAL); 6–8, 16–18, 20 → §16.3; 9–10, 17, 27 → §16.4; 13, 15, 21 → §16.5; 11–12, 14, 26 → §16.6.