1. Which of the following is considered the weakest form of authentication?
a) Multi-Factor Authentication (MFA)
b) Biometric Authentication
c) Knowledge-Based Authentication (KBA)
d) Single-Factor Authentication (SFA)
β
Answer: d) Single-Factor Authentication (SFA)
π Explanation: SFA relies on only one authentication factor (e.g., password), making it vulnerable to brute-force attacks, phishing, and credential leaks. Multi-factor authentication (MFA) enhances security by requiring additional factors.
2. What is the primary drawback of password-based authentication?
a) High user convenience
b) Strong resistance to brute-force attacks
c) Susceptibility to phishing and credential leaks
d) Costly to implement
β
Answer: c) Susceptibility to phishing and credential leaks
π Explanation: Passwords can be easily compromised through phishing attacks, keylogging, credential stuffing, and social engineering. Many users also reuse weak passwords, making them a security risk.
3. Which of the following authentication methods is NOT considered a part of multi-factor authentication (MFA)?
a) Something you know
b) Something you have
c) Something you like
d) Something you are
β
Answer: c) Something you like
π Explanation: MFA requires at least two different factors:
- Something you know (password, PIN)
- Something you have (security token, mobile device)
- Something you are (biometrics like fingerprint or facial recognition)
4. Which of the following authentication factors is a biometric factor?
a) OTP sent via SMS
b) Security key
c) Fingerprint scan
d) PIN
β
Answer: c) Fingerprint scan
π Explanation: Biometrics (e.g., fingerprint, iris scan, facial recognition) belong to the “Something you are” category in authentication factors.
5. What is the main security risk of SMS-based OTP for 2FA?
a) It is expensive to send OTPs
b) SIM swap attacks and interception
c) Users find it difficult to use
d) OTPs are too long
β
Answer: b) SIM swap attacks and interception
π Explanation: Attackers can perform SIM swap attacks or intercept SMS messages to gain unauthorized access, making SMS-based 2FA less secure than app-based authentication or hardware tokens.
6. Which authentication mechanism is the MOST secure?
a) Password-only authentication
b) Two-Factor Authentication (2FA) using SMS
c) Multi-Factor Authentication (MFA) using a biometric and a hardware key
d) Single Sign-On (SSO)
β
Answer: c) Multi-Factor Authentication (MFA) using a biometric and a hardware key
π Explanation: MFA with a hardware key (YubiKey) and biometrics is more secure than SMS-based 2FA, which is vulnerable to SIM hijacking and phishing.
7. What is the main benefit of using passkeys (FIDO2/WebAuthn)?
a) They eliminate the need for passwords
b) They are easier to remember
c) They require frequent resets
d) They work only on mobile devices
β
Answer: a) They eliminate the need for passwords
π Explanation: Passkeys use public-key cryptography to authenticate users without traditional passwords, making them resistant to phishing and credential stuffing attacks.
8. What is a common attack against password authentication?
a) Man-in-the-Middle (MitM)
b) Password Spraying
c) SQL Injection
d) DDoS
β
Answer: b) Password Spraying
π Explanation: Password spraying attacks use common passwords across many accounts to avoid account lockouts, unlike brute force attacks that try multiple passwords on a single account.
9. Which of the following is NOT a good password policy?
a) Enforcing a minimum length of 12+ characters
b) Allowing password reuse
c) Encouraging passphrases instead of complex passwords
d) Enabling account lockout after multiple failed attempts
β
Answer: b) Allowing password reuse
π Explanation: Password reuse allows attackers to exploit leaked credentials, making it easier to compromise multiple accounts.
10. What is a Time-based One-Time Password (TOTP)?
a) A password valid for a single session
b) A one-time password that changes every few seconds
c) A static password set by the user
d) A password that expires after a year
β
Answer: b) A one-time password that changes every few seconds
π Explanation: TOTP is generated using a shared secret and current timestamp, making it more secure than SMS-based OTPs.
11. Which of the following reduces the risk of credential stuffing attacks?
a) Implementing CAPTCHA
b) Enforcing long and complex passwords
c) Using Web Application Firewalls (WAF)
d) Enabling Multi-Factor Authentication (MFA)
β
Answer: d) Enabling Multi-Factor Authentication (MFA)
π Explanation: Credential stuffing attacks use stolen credentials from data breaches. MFA prevents unauthorized access even if the password is compromised.
12. What is the role of a hardware security key (e.g., YubiKey)?
a) To store user passwords securely
b) To provide an additional authentication factor
c) To replace the need for usernames
d) To encrypt user data
β
Answer: b) To provide an additional authentication factor
π Explanation: Hardware security keys provide phishing-resistant authentication by requiring physical possession of the key.
13. Which of the following authentication mechanisms is most resistant to phishing?
a) Passwords
b) SMS-based OTP
c) Hardware security keys (FIDO2)
d) Security questions
β
Answer: c) Hardware security keys (FIDO2)
π Explanation: FIDO2-based authentication is resistant to phishing since it requires physical presence and verifies the domain to prevent fake login pages.
14. Why should security questions NOT be used as a password recovery method?
a) Users forget their answers
b) Answers are often guessable or publicly available
c) They are expensive to implement
d) They are difficult to configure
β
Answer: b) Answers are often guessable or publicly available
π Explanation: Security questions (e.g., “Mother’s maiden name?”) are often easily found via social engineering or public records.
15. What is the best practice for password storage in databases?
a) Store passwords in plain text
b) Encrypt passwords with AES
c) Hash passwords with a strong hashing algorithm and salt
d) Store only the first half of the password
β
Answer: c) Hash passwords with a strong hashing algorithm and salt
π Explanation: Hashing (e.g., bcrypt, Argon2) ensures passwords cannot be reversed. Salting prevents rainbow table attacks.
16. Which of the following is an example of “Something You Have” in authentication?
a) A password
b) A mobile phone with an authenticator app
c) A fingerprint scan
d) A CAPTCHA test
β
Answer: b) A mobile phone with an authenticator app
π Explanation: “Something You Have” refers to a physical possession such as a smartphone, security token, or hardware key used in authentication.
17. What is the most significant advantage of using passwordless authentication?
a) It reduces password fatigue for users
b) It allows password reuse across multiple accounts
c) It eliminates the need for security measures
d) It makes brute-force attacks easier
β
Answer: a) It reduces password fatigue for users
π Explanation: Passwordless authentication removes the need for passwords, reducing phishing risks, credential stuffing attacks, and user frustration.
18. Which attack exploits weak authentication and allows an attacker to guess or brute-force credentials?
a) SQL Injection
b) Credential Stuffing
c) Cross-Site Scripting (XSS)
d) CSRF
β
Answer: b) Credential Stuffing
π Explanation: Credential stuffing uses previously leaked passwords from data breaches to attempt logins on multiple sites, exploiting password reuse.
19. What is an advantage of using biometric authentication?
a) It is impossible to bypass
b) It can be changed frequently
c) It is unique to each individual
d) It does not require any hardware
β
Answer: c) It is unique to each individual
π Explanation: Biometrics, such as fingerprints, iris scans, and facial recognition, are unique to each person, making them difficult to forge.
20. What is the primary security risk of biometric authentication?
a) Biometric data cannot be stolen
b) If compromised, it cannot be changed
c) It is always 100% accurate
d) It is easier to manage than passwords
β
Answer: b) If compromised, it cannot be changed
π Explanation: Unlike passwords, biometric data (fingerprints, facial scans) cannot be changed, making it a permanent risk if stolen.
21. What is adaptive authentication?
a) A fixed authentication method
b) A type of phishing attack
c) A system that adjusts authentication requirements based on risk levels
d) A deprecated security mechanism
β
Answer: c) A system that adjusts authentication requirements based on risk levels
π Explanation: Adaptive authentication (or risk-based authentication) dynamically increases security measures when detecting suspicious login activity.
22. What is the main benefit of using Single Sign-On (SSO)?
a) It requires users to create multiple passwords
b) It reduces the number of passwords users need to remember
c) It eliminates the need for MFA
d) It increases the risk of phishing
β
Answer: b) It reduces the number of passwords users need to remember
π Explanation: SSO allows users to log in once and gain access to multiple systems, improving convenience and security while reducing password fatigue.
23. What is the primary function of OAuth in authentication?
a) To encrypt passwords
b) To provide delegated access without sharing credentials
c) To generate complex passwords for users
d) To store biometric data securely
β
Answer: b) To provide delegated access without sharing credentials
π Explanation: OAuth allows users to grant third-party applications limited access to their accounts without revealing their credentials.
24. What is the most secure way to store authentication cookies?
a) Store them in local storage
b) Set them as HTTP-only and Secure
c) Store them in the browser cache
d) Use JavaScript to manage them
β
Answer: b) Set them as HTTP-only and Secure
π Explanation: HTTP-only cookies prevent JavaScript access, reducing the risk of XSS attacks, while the Secure flag ensures they are transmitted over HTTPS.
25. Which authentication factor is most vulnerable to social engineering attacks?
a) Passwords
b) Hardware tokens
c) Biometrics
d) FIDO2 authentication
β
Answer: a) Passwords
π Explanation: Attackers can trick users into revealing passwords through phishing, vishing, and social engineering tactics.
26. What is the purpose of rate limiting in authentication?
a) To allow faster login attempts
b) To prevent brute-force attacks
c) To store passwords securely
d) To improve user experience
β
Answer: b) To prevent brute-force attacks
π Explanation: Rate limiting restricts login attempts per second, mitigating brute-force attacks and credential stuffing.
27. Why is email-based authentication recovery considered risky?
a) Emails are always encrypted
b) Email accounts are often compromised
c) It is more secure than hardware-based MFA
d) It does not require passwords
β
Answer: b) Email accounts are often compromised
π Explanation: Attackers can hack email accounts and reset passwords, making email-based recovery a potential weak link.
28. Which protocol is used for secure federated authentication?
a) FTP
b) OAuth
c) HTTP
d) SMTP
β
Answer: b) OAuth
π Explanation: OAuth is widely used for federated authentication, enabling users to log in with third-party services securely.
29. Which attack can be mitigated by password hashing and salting?
a) DDoS
b) Rainbow Table Attacks
c) SQL Injection
d) Phishing
β
Answer: b) Rainbow Table Attacks
π Explanation: Salting and hashing passwords prevents attackers from using precomputed hashes (rainbow tables) to crack passwords.
30. Which authentication method is recommended for high-security environments?
a) Password-based authentication only
b) MFA with phishing-resistant factors
c) SMS-based 2FA only
d) Security questions
β
Answer: b) MFA with phishing-resistant factors
π Explanation: High-security environments should use MFA with hardware keys (FIDO2), biometric authentication, or passkeys.
31. Which attack is most likely to bypass SMS-based 2FA?
a) SQL Injection
b) SIM Swapping
c) Cross-Site Scripting (XSS)
d) Firewall Bypass
β
Answer: b) SIM Swapping
π Explanation: SIM swapping allows attackers to take over a victimβs phone number and intercept SMS-based OTPs.
32. What is the benefit of WebAuthn?
a) It allows password reuse
b) It uses public-key cryptography for authentication
c) It relies on knowledge-based authentication
d) It does not require hardware
β
Answer: b) It uses public-key cryptography for authentication
π Explanation: WebAuthn (FIDO2) enables passwordless authentication using public-private key cryptography, making it resistant to phishing.
33. What is a common security risk of using social logins (e.g., “Log in with Google”)?
a) It makes password management harder
b) It increases the risk of credential stuffing
c) If the social login provider is compromised, all linked accounts can be accessed
d) It requires users to create multiple accounts
β
Answer: c) If the social login provider is compromised, all linked accounts can be accessed
π Explanation: If an attacker gains access to a userβs Google, Facebook, or LinkedIn account, they can use social logins to access multiple other services without needing separate credentials.
34. Which authentication factor is used in certificate-based authentication?
a) Something you have
b) Something you are
c) Something you know
d) Something you like
β
Answer: a) Something you have
π Explanation: Certificate-based authentication requires a digital certificate stored on a device, which acts as proof of possession (e.g., smart card authentication).
35. Which of the following is a recommended security practice for authentication?
a) Allowing unlimited login attempts
b) Enforcing password complexity but not expiration
c) Storing passwords in plaintext
d) Using the same password for multiple accounts
β
Answer: b) Enforcing password complexity but not expiration
π Explanation: Modern security guidelines recommend long, complex passwords but discourage forced periodic password changes unless there is suspicion of compromise.
36. What is an advantage of using hardware-based MFA tokens (e.g., YubiKey) over app-based authentication?
a) They are easier to use
b) They do not require internet access
c) They are immune to all attacks
d) They are cheaper than mobile authentication apps
β
Answer: b) They do not require internet access
π Explanation: Hardware security keys like YubiKey work offline, making them resistant to phishing and MitM attacks.
37. Which feature helps prevent brute-force attacks on user accounts?
a) CAPTCHA
b) Allowing weak passwords
c) Disabling MFA
d) Using session cookies
β
Answer: a) CAPTCHA
π Explanation: CAPTCHA blocks automated scripts from attempting login attempts, preventing brute-force attacks.
38. What does HMAC stand for in authentication mechanisms?
a) Hash-based Message Authentication Code
b) Highly Managed Access Control
c) Hierarchical Multi-Factor Access Credential
d) Hybrid Mode Authentication Challenge
β
Answer: a) Hash-based Message Authentication Code
π Explanation: HMAC ensures data integrity and authentication using a cryptographic hash function and a secret key.
39. Why is enabling session timeout important for web authentication?
a) It improves website performance
b) It prevents unauthorized access if a session is left open
c) It makes authentication easier for users
d) It ensures users must re-enter their passwords frequently
β
Answer: b) It prevents unauthorized access if a session is left open
π Explanation: Session timeout helps mitigate risks where users leave their session open, preventing session hijacking or unauthorized access.
40. Which of the following describes a Zero Trust authentication model?
a) Trusting users inside the network
b) Granting access based on predefined trust levels
c) Never trusting by default and always verifying identity
d) Allowing users to log in once and stay authenticated indefinitely
β
Answer: c) Never trusting by default and always verifying identity
π Explanation: Zero Trust enforces the principle “never trust, always verify”, requiring continuous authentication and authorization.
41. What is a risk of using browser autofill for passwords?
a) Autofill makes passwords harder to guess
b) Browsers encrypt autofill data securely
c) Autofill can be exploited by malicious scripts and phishing attacks
d) It prevents brute-force attacks
β
Answer: c) Autofill can be exploited by malicious scripts and phishing attacks
π Explanation: Autofill mechanisms can be manipulated by malicious websites, exposing stored credentials.
42. What is OAuth 2.0 primarily used for?
a) Encrypting passwords in databases
b) Secure user authentication and delegated access
c) Generating random passwords
d) Managing encryption keys
β
Answer: b) Secure user authentication and delegated access
π Explanation: OAuth 2.0 allows secure authentication without sharing credentials, enabling single sign-on (SSO) and API authorization.
43. Which of the following is an example of step-up authentication?
a) A user is asked for additional verification when attempting a high-risk action
b) A user logs in with a username and password
c) A website automatically logs out users after inactivity
d) A user is prompted to reset their password periodically
β
Answer: a) A user is asked for additional verification when attempting a high-risk action
π Explanation: Step-up authentication increases security when a high-risk action (e.g., transferring funds) is detected.
44. Which attack can exploit poor session management in web applications?
a) Phishing
b) Session Hijacking
c) DNS Spoofing
d) Password Spraying
β
Answer: b) Session Hijacking
π Explanation: Session hijacking occurs when attackers steal a user’s active session token to impersonate them.
45. What is the main security advantage of password managers?
a) They store passwords in plaintext
b) They allow users to use the same password for multiple accounts
c) They generate and store strong, unique passwords for each account
d) They remove the need for authentication
β
Answer: c) They generate and store strong, unique passwords for each account
π Explanation: Password managers help prevent password reuse by generating unique passwords for each service.
46. What is an effective defense against phishing attacks?
a) Using short, easy-to-remember passwords
b) Clicking links in unexpected emails to verify their authenticity
c) Enabling Multi-Factor Authentication (MFA)
d) Disabling firewalls
β
Answer: c) Enabling Multi-Factor Authentication (MFA)
π Explanation: MFA adds an extra layer of security, preventing unauthorized access even if passwords are stolen.
47. What is an advantage of biometric authentication over passwords?
a) It is less secure than passwords
b) It cannot be reset
c) It is unique to the individual and difficult to steal remotely
d) It allows password reuse
β
Answer: c) It is unique to the individual and difficult to steal remotely
π Explanation: Biometric authentication (fingerprint, facial recognition) is unique and difficult for attackers to duplicate.
48. Which security mechanism helps prevent replay attacks?
a) Using a VPN
b) Implementing One-Time Passwords (OTPs)
c) Storing passwords in plaintext
d) Allowing unlimited authentication attempts
β
Answer: b) Implementing One-Time Passwords (OTPs)
π Explanation: Replay attacks involve reusing intercepted authentication credentials. OTPs prevent reuse by being valid only once.
49. Which attack is commonly used to steal session tokens?
a) Cross-Site Scripting (XSS)
b) SQL Injection
c) DDoS
d) Social Engineering
β
Answer: a) Cross-Site Scripting (XSS)
π Explanation: XSS attacks can inject malicious scripts that steal session tokens, allowing attackers to impersonate users.
50. What is the primary purpose of Account Lockout Policies?
a) To block legitimate users from logging in
b) To protect against brute-force attacks
c) To allow unlimited failed login attempts
d) To store passwords securely
β
Answer: b) To protect against brute-force attacks
π Explanation: Account lockout policies temporarily block accounts after multiple failed login attempts, mitigating brute-force attacks.
51. What is the purpose of an authentication audit log?
a) To track and monitor login activities
b) To store user passwords securely
c) To prevent all cyber attacks
d) To replace Multi-Factor Authentication
β
Answer: a) To track and monitor login activities
π Explanation: Authentication audit logs help detect unauthorized access attempts, anomalies, and security breaches by logging login activities.
52. Which of the following is a best practice for securing API authentication?
a) Using API keys without expiration
b) Embedding API credentials in client-side JavaScript
c) Implementing OAuth with token expiration
d) Using the same API key for all services
β
Answer: c) Implementing OAuth with token expiration
π Explanation: OAuth with token expiration ensures that access tokens have limited validity, reducing the impact of token theft.
53. What is one primary drawback of security questions as an authentication method?
a) They require long passwords
b) The answers can often be guessed or found online
c) They require hardware tokens
d) They improve security significantly
β
Answer: b) The answers can often be guessed or found online
π Explanation: Attackers can often find answers to security questions through social engineering, data breaches, or public records.
54. What is the main function of an Identity Provider (IdP) in authentication?
a) To generate strong passwords
b) To manage user identities and authentication
c) To block brute-force attacks
d) To encrypt all network traffic
β
Answer: b) To manage user identities and authentication
π Explanation: An Identity Provider (IdP) handles authentication and identity management, enabling Single Sign-On (SSO) and secure access control.
55. Which of the following is the best approach to prevent password reuse?
a) Enforcing a password history policy
b) Allowing users to store passwords in plaintext
c) Requiring passwords to be changed daily
d) Setting passwords to expire every 30 days
β
Answer: a) Enforcing a password history policy
π Explanation: A password history policy prevents users from reusing previous passwords, mitigating credential stuffing risks.
56. What type of attack can occur if session tokens are transmitted over unencrypted HTTP?
a) SQL Injection
b) Session Hijacking
c) Phishing
d) Clickjacking
β
Answer: b) Session Hijacking
π Explanation: Session hijacking occurs when attackers intercept session tokens over unencrypted connections, allowing them to take over user sessions.
57. Which of the following authentication methods provides the strongest security against phishing?
a) Password-only authentication
b) SMS-based OTP
c) FIDO2 hardware security keys
d) CAPTCHA
β
Answer: c) FIDO2 hardware security keys
π Explanation: FIDO2 security keys use public-key cryptography, making them resistant to phishing and MITM attacks.
58. What is the role of a refresh token in authentication?
a) To store user passwords securely
b) To allow continuous access without requiring the user to reauthenticate frequently
c) To prevent brute-force attacks
d) To generate new passwords
β
Answer: b) To allow continuous access without requiring the user to reauthenticate frequently
π Explanation: Refresh tokens are used in OAuth authentication to obtain new access tokens without requiring a full reauthentication.
59. What is one major risk of using browser-saved passwords?
a) They make logging in slower
b) They prevent brute-force attacks
c) They can be extracted by malware or unauthorized users
d) They require MFA
β
Answer: c) They can be extracted by malware or unauthorized users
π Explanation: Malware, keyloggers, and browser exploits can steal saved passwords, compromising security.
60. Why should authentication tokens be set with an expiration time?
a) To reduce the risk of replay attacks
b) To force users to reset their passwords daily
c) To allow unlimited access
d) To eliminate the need for MFA
β
Answer: a) To reduce the risk of replay attacks
π Explanation: Setting expiration times on authentication tokens ensures they become invalid after a certain period, reducing the risk of token theft or replay attacks.
61. What is a major disadvantage of using SMS-based One-Time Passwords (OTPs) for authentication?
a) They are expensive to generate
b) They can be intercepted via SIM swapping or SS7 attacks
c) They are difficult to use
d) They do not work on mobile devices
β
Answer: b) They can be intercepted via SIM swapping or SS7 attacks
π Explanation: SMS-based OTPs are vulnerable to SIM swapping and SS7 attacks, making them less secure than app-based MFA.
62. Which authentication mechanism is best suited for public Wi-Fi environments?
a) Password-only authentication
b) SMS-based OTP
c) Biometric authentication with a VPN
d) CAPTCHA
β
Answer: c) Biometric authentication with a VPN
π Explanation: Biometric authentication combined with a VPN prevents man-in-the-middle attacks on public Wi-Fi.
63. Which type of authentication does OpenID Connect (OIDC) support?
a) Federated authentication
b) Only password-based authentication
c) Certificate-based authentication
d) Two-Factor Authentication (2FA)
β
Answer: a) Federated authentication
π Explanation: OIDC is an authentication protocol that supports federated login using an Identity Provider (IdP).
64. What is a major security risk of not using session expiration for authenticated users?
a) It improves performance
b) Users can stay logged in indefinitely, increasing the risk of unauthorized access
c) It allows users to log in faster
d) It prevents MFA from being used
β
Answer: b) Users can stay logged in indefinitely, increasing the risk of unauthorized access
π Explanation: Without session expiration, an attacker who gains access to a session can continue using it indefinitely.
65. What type of attack does a brute-force protection mechanism help prevent?
a) Man-in-the-middle attacks
b) Unauthorized login attempts using multiple password guesses
c) Phishing
d) Cross-Site Scripting (XSS)
β
Answer: b) Unauthorized login attempts using multiple password guesses
π Explanation: Brute-force protection limits failed login attempts, preventing attackers from guessing passwords.
66. What is the advantage of using authentication tokens instead of session cookies?
a) Tokens can be used across different domains more securely
b) Tokens eliminate the need for encryption
c) Tokens can be stored in plaintext
d) Tokens do not expire
β
Answer: a) Tokens can be used across different domains more securely
π Explanation: Authentication tokens (JWTs) are often used in API-based authentication, making them more versatile than session cookies.
67. What is the main purpose of a password manager?
a) To store and generate strong passwords
b) To allow password reuse
c) To store user credentials in plaintext
d) To eliminate the need for authentication
β
Answer: a) To store and generate strong passwords
π Explanation: Password managers help users create, store, and manage strong passwords securely.
68. What does MFA stand for?
a) Multiple Factor Authentication
b) Multi-Factor Authentication
c) Major Firewall Authentication
d) Mobile-Friendly Authentication
β
Answer: b) Multi-Factor Authentication
π Explanation: MFA enhances security by requiring two or more authentication factors before granting access.
69. What type of authentication does biometric recognition fall under?
a) Something you know
b) Something you have
c) Something you are
d) Something you do
β
Answer: c) Something you are
π Explanation: Biometric authentication (fingerprint, face scan) is a “Something you are” factor.
70. Which attack exploits weak session management?
a) Session Fixation
b) Credential Stuffing
c) DNS Spoofing
d) Password Spraying
β
Answer: a) Session Fixation
π Explanation: Session Fixation forces a victim to use a predefined session ID, allowing attackers to hijack their session.
71. What is the main advantage of time-based one-time passwords (TOTP) over SMS-based OTPs?
a) TOTPs never expire
b) TOTPs can be intercepted easily
c) TOTPs are generated locally and not susceptible to SIM swapping
d) TOTPs work without internet access
β
Answer: c) TOTPs are generated locally and not susceptible to SIM swapping
π Explanation: Time-based One-Time Passwords (TOTP) are generated on user devices using a secret key, making them more secure than SMS-based OTPs, which are vulnerable to SIM swap attacks.
72. What is a major weakness of static passwords?
a) They require complex memorization
b) They cannot be reset
c) They can be stolen through phishing or brute-force attacks
d) They are too expensive to implement
β
Answer: c) They can be stolen through phishing or brute-force attacks
π Explanation: Static passwords remain the same unless changed, making them vulnerable to credential stuffing, brute-force attacks, and phishing.
73. Which of the following best describes a bearer token?
a) A token that provides authentication without verification
b) A token that is tied to a specific user and must be protected
c) A token that expires within an hour
d) A token that is encrypted with a static key
β
Answer: b) A token that is tied to a specific user and must be protected
π Explanation: Bearer tokens grant access to anyone who possesses them, making secure storage and transport crucial to prevent unauthorized use.
74. Why is biometric authentication not completely foolproof?
a) Biometrics can be easily changed
b) Biometrics can be spoofed using high-resolution images or 3D models
c) Biometric authentication requires passwords
d) Biometric data cannot be stored
β
Answer: b) Biometrics can be spoofed using high-resolution images or 3D models
π Explanation: Attackers can bypass biometric authentication using high-resolution images (face unlock) or fingerprint replication.
75. What is an advantage of using cryptographic authentication over passwords?
a) It eliminates the need for user accounts
b) It removes the need for encryption
c) It ensures authentication without transmitting a secret
d) It simplifies password reset processes
β
Answer: c) It ensures authentication without transmitting a secret
π Explanation: Cryptographic authentication, such as public-key cryptography, verifies identity without sending passwords, reducing the risk of interception.
76. What is an attack that exploits improperly implemented OAuth authentication?
a) Token Reuse Attack
b) Open Redirect Attack
c) SSL Stripping Attack
d) Session Padding Attack
β
Answer: b) Open Redirect Attack
π Explanation: In improperly implemented OAuth authentication, attackers can manipulate the redirect URL to steal authentication tokens.
77. Which of the following security mechanisms prevents an attacker from using a stolen authentication token?
a) Session Timeout
b) IP Whitelisting
c) Refresh Token Rotation
d) All of the above
β
Answer: d) All of the above
π Explanation: Session timeout, IP whitelisting, and refresh token rotation help limit the use of stolen authentication tokens by forcing re-authentication.
78. What type of attack can occur if authentication tokens are stored in local storage?
a) Clickjacking
b) Cross-Site Scripting (XSS)
c) Man-in-the-Middle (MitM) Attack
d) SQL Injection
β
Answer: b) Cross-Site Scripting (XSS)
π Explanation: If authentication tokens are stored in local storage, an XSS attack can steal them, leading to session hijacking.
79. Which of the following authentication types is commonly used in passwordless authentication?
a) PIN-based authentication
b) Knowledge-Based Authentication (KBA)
c) Public-Key Cryptography
d) Security Questions
β
Answer: c) Public-Key Cryptography
π Explanation: Passwordless authentication relies on public-key cryptography, where a private key on the userβs device verifies their identity.
80. What is the primary risk of using a single sign-on (SSO) solution?
a) It increases password complexity
b) If compromised, an attacker gains access to multiple accounts
c) It requires multiple passwords for different accounts
d) It does not work with MFA
β
Answer: b) If compromised, an attacker gains access to multiple accounts
π Explanation: SSO allows access to multiple accounts with one login, meaning if an attacker compromises the SSO credentials, they gain access to all linked accounts.
81. Which security measure can prevent brute-force login attempts?
a) Rate Limiting
b) SQL Injection Prevention
c) Data Encryption
d) Clickjacking Protection
β
Answer: a) Rate Limiting
π Explanation: Rate limiting prevents brute-force attacks by limiting the number of login attempts within a specific timeframe.
82. What is the purpose of a nonce in authentication?
a) To encrypt data
b) To prevent replay attacks
c) To store authentication tokens
d) To hash passwords
β
Answer: b) To prevent replay attacks
π Explanation: A nonce (number used once) ensures authentication requests cannot be reused, protecting against replay attacks.
83. Which authentication method is most resistant to phishing attacks?
a) Security Questions
b) SMS-based OTP
c) FIDO2 Hardware Keys
d) Password Managers
β
Answer: c) FIDO2 Hardware Keys
π Explanation: FIDO2 hardware keys use cryptographic authentication, making them immune to phishing and MITM attacks.
84. Which attack exploits weak OAuth implementation to steal access tokens?
a) Authorization Code Interception Attack
b) Session Hijacking
c) SQL Injection
d) Password Spraying
β
Answer: a) Authorization Code Interception Attack
π Explanation: Attackers intercept OAuth authorization codes to obtain access tokens fraudulently.
85. Why should authentication secrets not be hardcoded in applications?
a) They increase application performance
b) They can be easily extracted from source code or binaries
c) They make password management easier
d) They prevent unauthorized access
β
Answer: b) They can be easily extracted from source code or binaries
π Explanation: Hardcoded secrets (API keys, passwords) can be exposed through code repositories, reverse engineering, or insider threats.
86. What is an effective mitigation against session fixation attacks?
a) Using CAPTCHA
b) Regenerating session IDs after login
c) Implementing single sign-on
d) Disabling JavaScript
β
Answer: b) Regenerating session IDs after login
π Explanation: Session fixation allows attackers to force a victim to use a known session ID. Regenerating session IDs after login prevents this attack.
87. What is a primary security advantage of using OAuth over traditional authentication?
a) It allows applications to access user data without storing passwords
b) It eliminates the need for encryption
c) It makes password brute-force attacks easier
d) It removes the need for authentication
β
Answer: a) It allows applications to access user data without storing passwords
π Explanation: OAuth enables third-party apps to access user data securely without handling passwords, reducing credential exposure.
88. Which authentication protocol is commonly used for federated identity management?
a) OAuth
b) Kerberos
c) RADIUS
d) SAML
β
Answer: d) SAML
π Explanation: SAML (Security Assertion Markup Language) enables federated authentication across different organizations.
89. What is the primary purpose of an authentication token?
a) To store user passwords securely
b) To provide a temporary proof of authentication
c) To replace multi-factor authentication
d) To encrypt all network traffic
β
Answer: b) To provide a temporary proof of authentication
π Explanation: Authentication tokens (e.g., OAuth tokens, JWTs) serve as temporary credentials that verify user identity without re-entering passwords.
90. Which attack can occur if an application fails to validate OAuth redirect URIs properly?
a) SQL Injection
b) Open Redirect Attack
c) Clickjacking
d) Buffer Overflow
β
Answer: b) Open Redirect Attack
π Explanation: Improper validation of OAuth redirect URIs allows attackers to redirect users to malicious sites to steal credentials.
91. What is the main benefit of using biometric authentication?
a) It eliminates the need for MFA
b) It is difficult to replicate or steal remotely
c) It does not require encryption
d) It works without any hardware
β
Answer: b) It is difficult to replicate or steal remotely
π Explanation: Biometric authentication (e.g., fingerprints, iris scans) is unique to individuals and difficult for attackers to forge remotely.
92. What does a JSON Web Token (JWT) contain?
a) Only a username and password
b) A digitally signed set of claims and authentication details
c) An encrypted password
d) Only a session ID
β
Answer: b) A digitally signed set of claims and authentication details
π Explanation: A JWT contains claims (e.g., user ID, roles) in a digitally signed format, allowing secure authentication without sending passwords.
93. Which of the following security features should be enabled when using JWTs?
a) Expiration time
b) Storing JWTs in local storage
c) Using HTTP instead of HTTPS
d) Allowing unlimited token reuse
β
Answer: a) Expiration time
π Explanation: JWTs should include an expiration time to limit token lifespan and prevent unauthorized access if stolen.
94. What is the role of an Identity and Access Management (IAM) system?
a) To store user passwords
b) To manage authentication and access controls
c) To encrypt authentication tokens
d) To replace firewalls
β
Answer: b) To manage authentication and access controls
π Explanation: IAM systems manage user identities, authentication, and permissions to ensure secure access to resources.
95. What is a security risk associated with password hints?
a) They improve user experience
b) They can be easily guessed by attackers
c) They make passwords stronger
d) They replace the need for MFA
β
Answer: b) They can be easily guessed by attackers
π Explanation: Password hints often provide clues that attackers can exploit to guess passwords.
96. What is the primary benefit of using passkeys over passwords?
a) Passkeys are resistant to phishing attacks
b) Passkeys work on all devices
c) Passkeys require manual entry
d) Passkeys do not require authentication
β
Answer: a) Passkeys are resistant to phishing attacks
π Explanation: Passkeys use cryptographic authentication, making them resistant to phishing and credential stuffing attacks.
97. What does Zero Trust security emphasize in authentication?
a) Trusting internal users
b) Always verifying and never trusting by default
c) Using passwords only
d) Allowing unrestricted access to known devices
β
Answer: b) Always verifying and never trusting by default
π Explanation: Zero Trust security enforces continuous authentication and access control, ensuring no implicit trust.
98. What is one drawback of using facial recognition for authentication?
a) It is easy to bypass with passwords
b) It requires MFA
c) It can be fooled by high-quality images or deepfakes
d) It does not work on mobile devices
β
Answer: c) It can be fooled by high-quality images or deepfakes
π Explanation: Facial recognition can be vulnerable to deepfake attacks and high-resolution images, especially in weak implementations.
99. Which protocol is commonly used for authentication in enterprise networks?
a) LDAP
b) FTP
c) SMTP
d) HTTP
β
Answer: a) LDAP
π Explanation: LDAP (Lightweight Directory Access Protocol) is widely used for authentication and directory services in enterprise environments.
100. What is the purpose of risk-based authentication?
a) To allow authentication without credentials
b) To apply different authentication requirements based on user risk levels
c) To store user credentials securely
d) To replace firewalls
β
Answer: b) To apply different authentication requirements based on user risk levels
π Explanation: Risk-based authentication adapts authentication requirements based on user behavior, location, and device risk level.
101. Which authentication factor does a smart card represent?
a) Something you know
b) Something you have
c) Something you are
d) Something you do
β
Answer: b) Something you have
π Explanation: Smart cards are physical objects that act as authentication factors in multi-factor authentication (MFA).
102. Why is OAuth 2.0 considered a secure authentication framework?
a) It allows apps to access user data without storing passwords
b) It requires users to change passwords frequently
c) It encrypts all data automatically
d) It eliminates authentication requirements
β
Answer: a) It allows apps to access user data without storing passwords
π Explanation: OAuth 2.0 enables secure delegated access without exposing passwords to third-party applications.
103. What is a common mistake when implementing multi-factor authentication (MFA)?
a) Using biometric authentication
b) Allowing MFA to be bypassed easily
c) Using FIDO2-based authentication
d) Enforcing MFA on sensitive actions
β
Answer: b) Allowing MFA to be bypassed easily
π Explanation: Weak MFA implementations allow attackers to bypass authentication through account recovery loopholes.
104. Why should authentication cookies be set with the “Secure” flag?
a) To ensure they are only transmitted over HTTPS
b) To make them expire faster
c) To prevent brute-force attacks
d) To store them in local storage
β
Answer: a) To ensure they are only transmitted over HTTPS
π Explanation: The Secure flag ensures that authentication cookies are only sent over encrypted HTTPS connections, preventing interception.
105. What is the best practice for handling failed login attempts?
a) Displaying the reason for failure in detail
b) Locking the account permanently after one failed attempt
c) Implementing rate limiting and account lockout policies
d) Allowing unlimited login attempts
β
Answer: c) Implementing rate limiting and account lockout policies
π Explanation: Rate limiting and temporary lockout prevent brute-force attacks while allowing users to recover from mistakes.
106. What is the advantage of federated authentication?
a) It eliminates the need for passwords
b) It allows users to authenticate across multiple systems with one login
c) It requires more credentials
d) It works only on mobile devices
β
Answer: b) It allows users to authenticate across multiple systems with one login
π Explanation: Federated authentication (e.g., SAML, OpenID Connect) allows users to log in once and access multiple services securely.
107. What is a major security benefit of passwordless authentication?
a) It completely removes the need for security measures
b) It eliminates phishing and credential stuffing risks
c) It allows users to reuse passwords
d) It reduces the need for identity verification
β
Answer: b) It eliminates phishing and credential stuffing risks
π Explanation: Passwordless authentication (e.g., FIDO2, biometric, passkeys) reduces the risk of credential theft since there are no static passwords to steal.
108. What is a significant limitation of biometric authentication?
a) Biometric data cannot be stolen
b) Biometric authentication is 100% foolproof
c) Biometric data, if compromised, cannot be reset
d) It eliminates the need for additional authentication factors
β
Answer: c) Biometric data, if compromised, cannot be reset
π Explanation: Unlike passwords, biometric data (e.g., fingerprints, facial scans) cannot be changed if leaked, making them a permanent security risk.
109. What does Just-In-Time (JIT) authentication aim to achieve?
a) Allow users to authenticate without verification
b) Provide authentication only when necessary and for a limited time
c) Store authentication details permanently
d) Disable MFA for all users
β
Answer: b) Provide authentication only when necessary and for a limited time
π Explanation: JIT authentication grants access only when needed and for a short duration, reducing the attack surface.
110. Which of the following can prevent replay attacks?
a) Using a VPN
b) Implementing one-time passwords (OTPs)
c) Disabling HTTPS
d) Storing authentication tokens in plaintext
β
Answer: b) Implementing one-time passwords (OTPs)
π Explanation: Replay attacks reuse stolen authentication credentials. OTPs and time-based tokens prevent this by being valid only once or for a short period.
111. What is the primary advantage of using an identity federation system?
a) It provides centralized authentication across multiple systems
b) It eliminates authentication requirements
c) It allows users to create multiple passwords
d) It removes the need for encryption
β
Answer: a) It provides centralized authentication across multiple systems
π Explanation: Identity federation (e.g., SAML, OpenID Connect) allows users to authenticate once and access multiple services without separate credentials.
112. Why should session cookies include the “HttpOnly” flag?
a) To prevent client-side JavaScript from accessing the cookies
b) To allow cross-site authentication
c) To make authentication faster
d) To enable automatic password resets
β
Answer: a) To prevent client-side JavaScript from accessing the cookies
π Explanation: The HttpOnly flag ensures session cookies cannot be accessed by JavaScript, protecting against XSS attacks.
113. What is an important consideration when using third-party authentication services like Google or Facebook login?
a) Users cannot access their accounts if the third-party provider is unavailable
b) It eliminates all security risks
c) It removes the need for encryption
d) It works only on mobile devices
β
Answer: a) Users cannot access their accounts if the third-party provider is unavailable
π Explanation: If a third-party identity provider (e.g., Google, Facebook) goes down or is compromised, users may lose access to their accounts.
114. What is one reason why CAPTCHAs are used in authentication processes?
a) To increase password complexity
b) To prevent automated bot attacks
c) To encrypt authentication tokens
d) To store user credentials securely
β
Answer: b) To prevent automated bot attacks
π Explanation: CAPTCHAs prevent automated brute-force attacks and credential stuffing by requiring users to prove they are human.
115. What is the primary function of a password policy?
a) To enforce secure password creation and management
b) To increase authentication complexity
c) To eliminate the need for encryption
d) To store user credentials
β
Answer: a) To enforce secure password creation and management
π Explanation: Password policies help enforce strong passwords, prevent reuse, and encourage best security practices.
116. Why should API authentication use OAuth instead of API keys?
a) OAuth provides more granular access control and token expiration
b) OAuth allows storing API keys in plaintext
c) OAuth eliminates authentication requirements
d) OAuth is faster than API keys
β
Answer: a) OAuth provides more granular access control and token expiration
π Explanation: OAuth tokens support expiration, revocation, and fine-grained permissions, making them more secure than static API keys.
117. Which of the following best describes an authentication backdoor?
a) A secure method of authentication
b) An undocumented way to access a system without proper authentication
c) A form of MFA
d) A phishing-resistant authentication method
β
Answer: b) An undocumented way to access a system without proper authentication
π Explanation: Backdoors allow access to a system without going through proper authentication, often used maliciously by attackers.
118. Why is password reuse a major security risk?
a) It increases login speed
b) If one password is leaked, multiple accounts can be compromised
c) It makes authentication easier
d) It prevents brute-force attacks
β
Answer: b) If one password is leaked, multiple accounts can be compromised
π Explanation: Reusing passwords allows attackers to use stolen credentials in credential stuffing attacks, compromising multiple accounts.
119. What is a major weakness of security questions as an authentication method?
a) Users often forget their answers
b) Answers can be easily guessed or found online
c) They improve security significantly
d) They work only in offline environments
β
Answer: b) Answers can be easily guessed or found online
π Explanation: Security questions (e.g., “Motherβs maiden name?”) are often publicly available or guessable, making them insecure.
120. What is the benefit of implementing risk-based authentication?
a) It applies additional security only when necessary
b) It eliminates authentication requirements
c) It stores user credentials securely
d) It increases login time for all users
β
Answer: a) It applies additional security only when necessary
π Explanation: Risk-based authentication adapts security requirements based on login behavior, adding extra verification only when risks are detected.
121. What is the main security benefit of using hardware security keys (e.g., YubiKey)?
a) They can be used across all websites without restrictions
b) They provide phishing-resistant authentication
c) They replace passwords entirely
d) They work only with biometric authentication
β
Answer: b) They provide phishing-resistant authentication
π Explanation: Hardware security keys use public-key cryptography and prevent phishing attacks by verifying the correct domain before authentication.
122. Why should the “SameSite” attribute be set for authentication cookies?
a) To prevent Cross-Site Request Forgery (CSRF) attacks
b) To improve password complexity
c) To store cookies in local storage
d) To enable cross-site authentication
β
Answer: a) To prevent Cross-Site Request Forgery (CSRF) attacks
π Explanation: The SameSite attribute helps mitigate CSRF attacks by restricting cookies from being sent in cross-site requests.
123. What does step-up authentication do?
a) Increases security only when suspicious activity is detected
b) Requires users to change passwords daily
c) Forces users to log in with SMS-based OTPs only
d) Disables authentication for trusted devices
β
Answer: a) Increases security only when suspicious activity is detected
π Explanation: Step-up authentication adds additional verification (e.g., MFA) only when high-risk actions are performed (e.g., large money transfers).
124. Which authentication factor is used in push notifications for MFA?
a) Something you know
b) Something you have
c) Something you are
d) Something you type
β
Answer: b) Something you have
π Explanation: Push notifications require users to approve logins via a trusted device, making it a “Something You Have” factor.
125. What is the key difference between OAuth and OpenID Connect (OIDC)?
a) OAuth is for authentication, while OIDC is for authorization
b) OAuth is for authorization, while OIDC is for authentication
c) OAuth uses encryption, while OIDC does not
d) OAuth is used only for mobile applications
β
Answer: b) OAuth is for authorization, while OIDC is for authentication
π Explanation: OAuth grants access to resources, while OIDC provides authentication using OAuth as a foundation.
126. Which authentication protocol uses Kerberos tickets for secure authentication?
a) LDAP
b) RADIUS
c) OAuth
d) SAML
β
Answer: a) LDAP
π Explanation: Kerberos authentication is used with LDAP directories for secure ticket-based authentication.
127. What is the primary function of a password vault?
a) To store and manage strong passwords securely
b) To allow users to use weak passwords
c) To generate passwords that never expire
d) To store passwords in plaintext
β
Answer: a) To store and manage strong passwords securely
π Explanation: Password vaults (password managers) help users store, generate, and autofill strong passwords securely.
128. What is a common risk of using SMS-based OTPs for authentication?
a) SMS-based OTPs are too long
b) SMS messages can be intercepted using SIM swapping or SS7 attacks
c) SMS-based OTPs do not work on mobile devices
d) SMS-based OTPs are faster than hardware tokens
β
Answer: b) SMS messages can be intercepted using SIM swapping or SS7 attacks
π Explanation: SIM swapping and SS7 protocol vulnerabilities allow attackers to intercept OTPs sent via SMS, making them less secure than app-based MFA.
129. Why should API authentication avoid storing credentials in local storage?
a) Local storage improves authentication speed
b) Local storage is accessible by JavaScript, making it vulnerable to XSS attacks
c) Local storage reduces password complexity
d) Local storage encrypts all data automatically
β
Answer: b) Local storage is accessible by JavaScript, making it vulnerable to XSS attacks
π Explanation: Storing authentication tokens in local storage makes them susceptible to XSS attacks, leading to session hijacking.
130. What does the principle of least privilege (PoLP) ensure in authentication?
a) Users only receive the minimum access necessary for their role
b) All users have full administrative access
c) Authentication is bypassed for low-risk users
d) Multi-factor authentication is disabled for privileged users
β
Answer: a) Users only receive the minimum access necessary for their role
π Explanation: PoLP ensures users and applications only get access to what they need, reducing security risks.
131. Which protocol is used in multi-factor authentication to transmit biometric data securely?
a) HTTP
b) WebAuthn
c) FTP
d) POP3
β
Answer: b) WebAuthn
π Explanation: WebAuthn (part of FIDO2) securely transmits biometric authentication data without revealing private keys.
132. What is the purpose of an access token in OAuth authentication?
a) To authenticate a user directly
b) To grant permission to access a resource on behalf of a user
c) To encrypt a password
d) To store authentication details
β
Answer: b) To grant permission to access a resource on behalf of a user
π Explanation: Access tokens in OAuth allow applications to access resources securely without handling passwords.
133. Why should authentication error messages be generic?
a) To provide detailed troubleshooting steps
b) To prevent attackers from gathering information about valid accounts
c) To help users reset passwords faster
d) To bypass multi-factor authentication
β
Answer: b) To prevent attackers from gathering information about valid accounts
π Explanation: Detailed error messages (e.g., “Invalid username”) help attackers enumerate valid accounts, aiding brute-force attacks.
134. What is the primary security concern with auto-filling passwords in browsers?
a) It makes logging in too fast
b) It can be exploited by malicious scripts through phishing attacks
c) It requires strong passwords
d) It prevents brute-force attacks
β
Answer: b) It can be exploited by malicious scripts through phishing attacks
π Explanation: Auto-fill features can be exploited by hidden phishing forms to steal credentials.
135. What is an advantage of biometric authentication over traditional passwords?
a) It is unique to each user and difficult to replicate
b) It requires users to remember multiple credentials
c) It can be changed frequently
d) It eliminates the need for encryption
β
Answer: a) It is unique to each user and difficult to replicate
π Explanation: Biometric data is unique to individuals and difficult to forge, making it more secure than passwords.
136. What is a secure alternative to SMS-based OTPs for 2FA?
a) Static security questions
b) Time-based One-Time Passwords (TOTP)
c) Plaintext password storage
d) Single-factor authentication
β
Answer: b) Time-based One-Time Passwords (TOTP)
π Explanation: TOTP (e.g., Google Authenticator, Authy) generates time-sensitive codes that are immune to SIM swap attacks.
137. What is an example of an adaptive authentication factor?
a) Requiring stronger authentication when logging in from an unknown location
b) Using the same password across all accounts
c) Disabling MFA for VIP users
d) Allowing unlimited login attempts
β
Answer: a) Requiring stronger authentication when logging in from an unknown location
π Explanation: Adaptive authentication adjusts security measures based on user behavior, reducing friction for known devices.
138. What is the primary advantage of implementing multi-factor authentication (MFA)?
a) It eliminates the need for passwords
b) It significantly reduces the risk of unauthorized access
c) It makes logging in faster
d) It works only for mobile applications
β
Answer: b) It significantly reduces the risk of unauthorized access
π Explanation: MFA adds an extra layer of security by requiring multiple authentication factors, making it much harder for attackers to gain unauthorized access.
139. Why is it recommended to use app-based authentication instead of SMS-based OTPs?
a) App-based authentication is easier to remember
b) App-based authentication is less expensive
c) SMS-based OTPs are vulnerable to SIM swap attacks
d) App-based authentication works without internet access
β
Answer: c) SMS-based OTPs are vulnerable to SIM swap attacks
π Explanation: Attackers can intercept SMS-based OTPs using SIM swapping or SS7 attacks, making app-based authenticators more secure.
140. What is the primary risk of using biometric authentication on personal devices?
a) It can be easily changed like passwords
b) It is vulnerable to brute-force attacks
c) If compromised, it cannot be reset
d) It requires multi-factor authentication
β
Answer: c) If compromised, it cannot be reset
π Explanation: Unlike passwords, biometric data (fingerprints, iris scans, facial recognition) cannot be changed, making a breach permanent.
141. What is one way attackers can bypass multi-factor authentication (MFA)?
a) Brute-force attacks
b) Session hijacking
c) MFA fatigue attacks (sending excessive push notifications)
d) Disabling firewalls
β
Answer: c) MFA fatigue attacks (sending excessive push notifications)
π Explanation: Attackers exploit MFA fatigue by spamming users with push notifications until they mistakenly approve a fraudulent request.
142. What is a common security issue with weak password recovery processes?
a) They improve authentication speed
b) They allow unauthorized access through social engineering
c) They require users to remember multiple passwords
d) They prevent account takeovers
β
Answer: b) They allow unauthorized access through social engineering
π Explanation: Weak password recovery processes (e.g., security questions, email resets) can be exploited through social engineering or credential stuffing.
143. Why is “passwordless authentication” becoming more popular?
a) It increases security while reducing reliance on passwords
b) It eliminates the need for encryption
c) It makes authentication less secure
d) It removes the need for user verification
β
Answer: a) It increases security while reducing reliance on passwords
π Explanation: Passwordless authentication (e.g., FIDO2, biometrics, passkeys) eliminates static passwords, reducing phishing and credential-stuffing risks.
144. What is the purpose of the “Account Lockout Policy” in authentication?
a) To prevent brute-force attacks by limiting failed login attempts
b) To disable accounts permanently
c) To allow unlimited login attempts
d) To make passwords stronger
β
Answer: a) To prevent brute-force attacks by limiting failed login attempts
π Explanation: Account lockout policies block access after multiple failed attempts, preventing brute-force attacks.
145. Which authentication attack specifically targets OAuth-based authentication?
a) Token hijacking
b) SQL Injection
c) Brute-force attack
d) Clickjacking
β
Answer: a) Token hijacking
π Explanation: OAuth token hijacking occurs when attackers steal OAuth access tokens, allowing unauthorized access to user accounts.
146. Why should authentication tokens be set to expire after a short duration?
a) To ensure users change passwords frequently
b) To reduce the risk of token theft being exploited for long periods
c) To improve authentication speed
d) To store passwords securely
β
Answer: b) To reduce the risk of token theft being exploited for long periods
π Explanation: Short-lived authentication tokens limit damage from token theft, reducing the risk of session hijacking.
147. What is a disadvantage of using hardware security tokens?
a) They do not work with web applications
b) They can be lost or stolen
c) They eliminate the need for encryption
d) They slow down authentication
β
Answer: b) They can be lost or stolen
π Explanation: Hardware security tokens (e.g., YubiKeys) provide strong authentication but can be lost or stolen, requiring backup recovery options.
148. What is an effective method to prevent password spraying attacks?
a) Allowing unlimited login attempts
b) Using unique and complex passwords
c) Disabling firewalls
d) Storing passwords in plaintext
β
Answer: b) Using unique and complex passwords
π Explanation: Password spraying attacks attempt common passwords across multiple accounts, so enforcing unique and complex passwords reduces success rates.
149. Which of the following is a key advantage of using biometric authentication?
a) It is unique to individuals and harder to steal remotely
b) It can be easily changed like passwords
c) It is always foolproof
d) It does not require user verification
β
Answer: a) It is unique to individuals and harder to steal remotely
π Explanation: Biometrics (e.g., fingerprints, facial recognition) provide unique authentication and are harder to steal remotely compared to passwords.
150. What is the biggest security risk when storing passwords in plaintext?
a) It makes login faster
b) If stolen, all user passwords are exposed
c) It improves authentication speed
d) It prevents brute-force attacks
β
Answer: b) If stolen, all user passwords are exposed
π Explanation: Plaintext passwords expose all user credentials if a database is compromised, making hashing and salting necessary.
151. What is a security best practice for session management?
a) Storing session IDs in local storage
b) Using session cookies with the HttpOnly and Secure flags
c) Allowing session IDs to persist indefinitely
d) Disabling session expiration
β
Answer: b) Using session cookies with the HttpOnly and Secure flags
π Explanation: HttpOnly and Secure flags prevent session hijacking by restricting JavaScript access and enforcing encrypted transmission.
152. Why is FIDO2 considered a secure authentication standard?
a) It relies on centralized password databases
b) It uses public-key cryptography to eliminate password phishing risks
c) It allows easy password reuse
d) It only works for mobile authentication
β
Answer: b) It uses public-key cryptography to eliminate password phishing risks
π Explanation: FIDO2 authentication removes reliance on passwords, using cryptographic authentication resistant to phishing attacks.
153. What is the best way to securely reset a userβs password?
a) Allowing password resets without verification
b) Sending a reset link to the userβs verified email or phone
c) Asking for the userβs username only
d) Allowing users to set weak passwords
β
Answer: b) Sending a reset link to the userβs verified email or phone
π Explanation: Password resets should require identity verification, ensuring the reset request is legitimate and secure.
154. What is the best way to protect against brute-force attacks on user authentication?
a) Allow unlimited login attempts
b) Implement rate limiting and account lockouts
c) Use only security questions for verification
d) Store passwords in plaintext
β
Answer: b) Implement rate limiting and account lockouts
π Explanation: Rate limiting restricts the number of login attempts, while account lockouts prevent repeated brute-force attempts on a single account.
155. Which type of authentication attack involves intercepting communication between a user and a legitimate system?
a) Password Spraying
b) Man-in-the-Middle (MitM) Attack
c) Credential Stuffing
d) SQL Injection
β
Answer: b) Man-in-the-Middle (MitM) Attack
π Explanation: MitM attacks occur when an attacker intercepts or alters communication between two parties to steal credentials or modify data.
156. What is the purpose of Single Sign-On (SSO) authentication?
a) To require multiple passwords for every service
b) To allow users to access multiple services with a single authentication
c) To eliminate the need for authentication
d) To store all passwords in a centralized database
β
Answer: b) To allow users to access multiple services with a single authentication
π Explanation: SSO simplifies authentication by enabling users to log in once and access multiple services without re-entering credentials.
157. Why is token-based authentication more secure than session-based authentication?
a) Tokens eliminate the need for encryption
b) Tokens can be stored securely without requiring a server-side session
c) Tokens prevent password reuse
d) Tokens work only with biometric authentication
β
Answer: b) Tokens can be stored securely without requiring a server-side session
π Explanation: Token-based authentication (e.g., JWTs) reduces server load by eliminating the need for session storage, relying on stateless authentication.
158. What is a potential risk of using federated authentication (e.g., SAML, OAuth)?
a) It eliminates the need for encryption
b) A compromised identity provider (IdP) can expose multiple accounts
c) It prevents account takeovers
d) It does not require authentication
β
Answer: b) A compromised identity provider (IdP) can expose multiple accounts
π Explanation: In federated authentication, if the identity provider (IdP) is breached, attackers can gain access to all connected services.
159. What is an effective way to protect authentication APIs from abuse?
a) Disabling MFA
b) Using rate limiting and bot detection mechanisms
c) Allowing public access to API endpoints
d) Storing authentication tokens in local storage
β
Answer: b) Using rate limiting and bot detection mechanisms
π Explanation: Rate limiting, CAPTCHA, and bot detection help prevent automated attacks like credential stuffing and brute-force attempts.
160. Why should authentication logs be monitored regularly?
a) To improve login speed
b) To detect and respond to suspicious login attempts
c) To store all user passwords securely
d) To allow unauthorized access
β
Answer: b) To detect and respond to suspicious login attempts
π Explanation: Monitoring authentication logs helps detect anomalies, brute-force attempts, and unauthorized access, enabling early threat mitigation.
161. What is a major disadvantage of using Knowledge-Based Authentication (KBA) for account recovery?
a) It requires biometric verification
b) Security answers can often be guessed or found online
c) It eliminates phishing risks
d) It prevents credential stuffing
β
Answer: b) Security answers can often be guessed or found online
π Explanation: KBA security questions (e.g., “What is your mother’s maiden name?”) are often easily discoverable through public records or social engineering.
162. What security measure should be used to protect authentication tokens from being stolen via Cross-Site Scripting (XSS) attacks?
a) Storing tokens in local storage
b) Using HTTP-only cookies
c) Disabling password expiration
d) Allowing unlimited authentication retries
β
Answer: b) Using HTTP-only cookies
π Explanation: HTTP-only cookies prevent JavaScript from accessing authentication tokens, reducing XSS attack risks.
163. Why is biometric authentication not recommended as a sole authentication method?
a) It is expensive
b) Biometric data, once compromised, cannot be changed
c) It always requires a password
d) It slows down authentication
β
Answer: b) Biometric data, once compromised, cannot be changed
π Explanation: Unlike passwords, biometric data (e.g., fingerprints, facial scans) cannot be reset, making MFA necessary for enhanced security.
164. What is the primary purpose of a refresh token in OAuth authentication?
a) To store passwords securely
b) To allow the client to obtain a new access token without reauthentication
c) To increase authentication speed
d) To replace passwords
β
Answer: b) To allow the client to obtain a new access token without reauthentication
π Explanation: Refresh tokens help maintain authentication by allowing new access tokens to be issued without requiring user reauthentication.
165. Why is phishing-resistant authentication important?
a) It speeds up authentication
b) It prevents users from setting weak passwords
c) It protects against credential theft through phishing attacks
d) It requires knowledge-based security questions
β
Answer: c) It protects against credential theft through phishing attacks
π Explanation: Phishing-resistant authentication (e.g., FIDO2, passkeys, WebAuthn) ensures users are not tricked into providing credentials to attackers.
166. What is a key security measure to prevent unauthorized access to user accounts?
a) Allowing password reuse
b) Enforcing MFA
c) Disabling session expiration
d) Storing passwords in plaintext
β
Answer: b) Enforcing MFA
π Explanation: Multi-Factor Authentication (MFA) significantly reduces unauthorized access risks, even if passwords are compromised.
167. What type of attack is most likely to exploit unprotected authentication cookies?
a) SQL Injection
b) Session Hijacking
c) Cross-Site Scripting (XSS)
d) Social Engineering
β
Answer: b) Session Hijacking
π Explanation: Session hijacking occurs when attackers steal unprotected session cookies, allowing them to impersonate users.
168. What is the main reason for using a CAPTCHA during authentication?
a) To encrypt passwords
b) To prevent automated brute-force attacks
c) To store user credentials securely
d) To disable session expiration
β
Answer: b) To prevent automated brute-force attacks
π Explanation: CAPTCHA helps differentiate between human users and bots, preventing automated brute-force attempts.
169. What is a major risk of allowing weak password policies?
a) Users will forget passwords
b) Accounts can be easily compromised through brute-force or credential stuffing attacks
c) Users will log in too quickly
d) It requires MFA
β
Answer: b) Accounts can be easily compromised through brute-force or credential stuffing attacks
π Explanation: Weak passwords are vulnerable to brute-force and credential stuffing attacks, making strong password policies essential.
170. What is the most secure method for storing passwords in a database?
a) Storing them in plaintext
b) Hashing them using a strong hashing algorithm with a salt
c) Encrypting them with a symmetric key
d) Storing them in an Excel spreadsheet
β
Answer: b) Hashing them using a strong hashing algorithm with a salt
π Explanation: Passwords should be hashed (e.g., using bcrypt, Argon2) with a unique salt to prevent rainbow table attacks.
171. What is an effective way to mitigate credential stuffing attacks?
a) Implementing multi-factor authentication (MFA)
b) Allowing unlimited login attempts
c) Using security questions for authentication
d) Storing passwords in plaintext
β
Answer: a) Implementing multi-factor authentication (MFA)
π Explanation: MFA adds an extra security layer, preventing attackers from accessing accounts even if they have stolen credentials from data breaches.
172. What is a key advantage of WebAuthn for authentication?
a) It allows password reuse
b) It provides passwordless authentication using public-key cryptography
c) It eliminates the need for encryption
d) It only works on mobile devices
β
Answer: b) It provides passwordless authentication using public-key cryptography
π Explanation: WebAuthn (part of FIDO2) uses public-key cryptography, removing reliance on passwords and making authentication resistant to phishing.
173. Why should password expiration policies be avoided?
a) Frequent password changes encourage users to create weaker passwords
b) It improves security significantly
c) It reduces brute-force attacks
d) It prevents session hijacking
β
Answer: a) Frequent password changes encourage users to create weaker passwords
π Explanation: Forcing users to frequently change passwords leads to weaker passwords and reuse patterns, making accounts more vulnerable.
174. What is the purpose of the “Secure” flag in authentication cookies?
a) To prevent cookies from being accessed over unencrypted HTTP connections
b) To store authentication tokens in local storage
c) To allow JavaScript access to authentication cookies
d) To disable authentication logs
β
Answer: a) To prevent cookies from being accessed over unencrypted HTTP connections
π Explanation: The Secure flag ensures cookies are only transmitted over HTTPS, preventing MitM attacks that steal session cookies.
175. What is a common risk of not implementing session timeouts?
a) Users will need to log in too frequently
b) Attackers can hijack active sessions left open for long periods
c) It increases authentication speed
d) It disables encryption
β
Answer: b) Attackers can hijack active sessions left open for long periods
π Explanation: Without session timeouts, attackers can hijack open sessions, especially on public computers or shared networks.
176. What is the primary risk of using email-based authentication recovery?
a) Emails are not encrypted
b) Email accounts are commonly targeted for attacks
c) Users forget their email passwords frequently
d) Email authentication does not require passwords
β
Answer: b) Email accounts are commonly targeted for attacks
π Explanation: If an attacker gains access to a user’s email, they can reset passwords for multiple accounts, leading to complete account takeover.
177. Why should passwords be stored using salted hashing instead of encryption?
a) Hashing is reversible, while encryption is not
b) Hashing ensures passwords are not stored in a recoverable format
c) Encryption prevents password reuse
d) Hashing makes passwords easier to remember
β
Answer: b) Hashing ensures passwords are not stored in a recoverable format
π Explanation: Hashing (with salt) protects passwords by making them unrecoverable, preventing attackers from reversing the encryption if breached.
178. What is the risk of using outdated hashing algorithms like MD5 or SHA-1 for password storage?
a) They improve authentication speed
b) They are vulnerable to fast brute-force and collision attacks
c) They increase password complexity
d) They eliminate the need for salting
β
Answer: b) They are vulnerable to fast brute-force and collision attacks
π Explanation: MD5 and SHA-1 are weak hashing algorithms that attackers can brute-force quickly, making them unsuitable for password security.
179. What is an important security consideration for biometric authentication systems?
a) Biometric data should be stored in plaintext
b) Biometric authentication should be combined with another factor for higher security
c) Biometrics are completely secure and never need backups
d) Biometric authentication eliminates the need for user verification
β
Answer: b) Biometric authentication should be combined with another factor for higher security
π Explanation: Biometric authentication is strong but not foolproof, and should be combined with another factor (e.g., PIN, passkey) for additional security.
180. What is an advantage of using federated identity management (FIM)?
a) It allows users to authenticate across multiple systems with a single identity provider
b) It eliminates the need for MFA
c) It reduces authentication security
d) It stores passwords in plaintext
β
Answer: a) It allows users to authenticate across multiple systems with a single identity provider
π Explanation: Federated identity management (e.g., SAML, OpenID Connect) enables users to log in once and access multiple services securely.
181. What is a major security concern with using autofill features for passwords?
a) Autofill makes authentication faster
b) Autofill can be exploited by malicious scripts to steal stored credentials
c) Autofill increases password complexity
d) Autofill prevents phishing attacks
β
Answer: b) Autofill can be exploited by malicious scripts to steal stored credentials
π Explanation: Malicious websites can trick browsers into auto-filling credentials into hidden forms, leading to stolen passwords.
182. What is a security risk associated with using public Wi-Fi for authentication?
a) Increased password complexity
b) Potential exposure to Man-in-the-Middle (MitM) attacks
c) Faster authentication speeds
d) Prevents brute-force attacks
β
Answer: b) Potential exposure to Man-in-the-Middle (MitM) attacks
π Explanation: Public Wi-Fi networks are often unsecured, making users vulnerable to MitM attacks that intercept authentication credentials.
183. Why should API keys not be hardcoded into applications?
a) API keys improve authentication speed
b) API keys can be extracted by attackers if exposed in source code
c) API keys eliminate the need for authentication
d) API keys prevent phishing attacks
β
Answer: b) API keys can be extracted by attackers if exposed in source code
π Explanation: Hardcoded API keys can be exposed in public repositories, allowing attackers to compromise authentication mechanisms.
184. What is a common security risk when using third-party authentication providers (e.g., Google, Facebook login)?
a) Users may lose access if the provider is unavailable or compromised
b) It eliminates phishing risks
c) It requires complex passwords
d) It prevents session hijacking
β
Answer: a) Users may lose access if the provider is unavailable or compromised
π Explanation: If a third-party authentication provider (IdP) is compromised, users may lose access to all services relying on it.
185. What is an effective defense against brute-force attacks?
a) Using account lockout policies
b) Allowing unlimited login attempts
c) Storing passwords in plaintext
d) Using only security questions for verification
β
Answer: a) Using account lockout policies
π Explanation: Account lockout policies temporarily disable accounts after multiple failed login attempts, preventing brute-force attacks.
186. What is an effective way to protect authentication tokens from being stolen?
a) Store them in local storage
b) Use HTTP-only and Secure cookies
c) Allow unlimited authentication attempts
d) Use weak encryption
β
Answer: b) Use HTTP-only and Secure cookies
π Explanation: HTTP-only cookies prevent JavaScript access (mitigating XSS risks), and Secure cookies ensure transmission only over HTTPS.
187. Why is biometric authentication not considered a perfect security solution?
a) Biometrics are completely foolproof
b) Biometric data cannot be changed if compromised
c) Biometrics require password authentication
d) Biometrics slow down authentication
β
Answer: b) Biometric data cannot be changed if compromised
π Explanation: Unlike passwords, biometric data (fingerprints, face scans) cannot be changed, making breaches irreversible.
188. What is the primary purpose of using security keys (e.g., YubiKey) for authentication?
a) To allow password reuse
b) To provide phishing-resistant authentication
c) To simplify password recovery
d) To eliminate the need for encryption
β
Answer: b) To provide phishing-resistant authentication
π Explanation: Security keys use public-key cryptography, making them resistant to phishing and MITM attacks.
189. What is a key advantage of adaptive authentication?
a) It applies stronger authentication only when needed
b) It eliminates password requirements
c) It disables MFA for all users
d) It works only on mobile devices
β
Answer: a) It applies stronger authentication only when needed
π Explanation: Adaptive authentication increases security dynamically based on user behavior, reducing unnecessary friction.
190. Why should authentication logs be regularly reviewed?
a) To track failed login attempts and detect suspicious activity
b) To store user passwords securely
c) To prevent encryption
d) To allow unrestricted login attempts
β
Answer: a) To track failed login attempts and detect suspicious activity
π Explanation: Regularly reviewing authentication logs helps identify brute-force attempts, anomalies, and unauthorized access.
191. What type of attack can be prevented by implementing CAPTCHAs?
a) Credential stuffing
b) Brute-force attacks by bots
c) SQL Injection
d) Clickjacking
β
Answer: b) Brute-force attacks by bots
π Explanation: CAPTCHAs help differentiate between humans and bots, preventing automated brute-force attacks.
192. Why is phishing-resistant authentication important?
a) It speeds up authentication
b) It eliminates the need for security questions
c) It prevents credential theft via fake login pages
d) It improves password strength
β
Answer: c) It prevents credential theft via fake login pages
π Explanation: Phishing-resistant authentication (e.g., FIDO2, passkeys) prevents users from entering credentials on malicious login pages.
193. What is an advantage of using Single Sign-On (SSO)?
a) Users only need to authenticate once for multiple applications
b) It eliminates all security risks
c) It prevents session hijacking
d) It stores passwords in plaintext
β
Answer: a) Users only need to authenticate once for multiple applications
π Explanation: SSO allows users to access multiple services with a single authentication, reducing password fatigue.
194. What is a major security risk of API authentication using API keys?
a) API keys can be stolen if exposed in public code repositories
b) API keys prevent unauthorized access
c) API keys improve authentication speed
d) API keys eliminate the need for encryption
β
Answer: a) API keys can be stolen if exposed in public code repositories
π Explanation: Hardcoded API keys in public repositories can be easily extracted by attackers, leading to API abuse.
195. What is the primary risk of using outdated hashing algorithms like SHA-1?
a) They require complex passwords
b) They are vulnerable to collision attacks and can be cracked easily
c) They improve authentication speed
d) They eliminate brute-force attacks
β
Answer: b) They are vulnerable to collision attacks and can be cracked easily
π Explanation: SHA-1 and MD5 are weak and prone to collision attacks, making bcrypt, Argon2, or PBKDF2 better choices.
196. What is a security benefit of enforcing unique passwords for each account?
a) It prevents credential stuffing attacks
b) It makes passwords easier to remember
c) It improves authentication speed
d) It eliminates the need for encryption
β
Answer: a) It prevents credential stuffing attacks
π Explanation: Unique passwords ensure that a compromised password from one service cannot be reused in credential stuffing attacks.
197. Why should session IDs be regenerated after authentication?
a) To improve authentication speed
b) To prevent session fixation attacks
c) To allow unlimited session duration
d) To store session IDs in plaintext
β
Answer: b) To prevent session fixation attacks
π Explanation: Session fixation attacks exploit pre-assigned session IDs, so regenerating them after login prevents hijacking.
198. Why should security tokens have expiration times?
a) To prevent unauthorized reuse if stolen
b) To improve authentication speed
c) To eliminate password requirements
d) To disable encryption
β
Answer: a) To prevent unauthorized reuse if stolen
π Explanation: Short-lived security tokens limit the impact of token theft, reducing the risk of unauthorized access.
199. What is the main advantage of using OAuth for API authentication?
a) It eliminates the need for user authentication
b) It allows secure delegated access without sharing passwords
c) It speeds up authentication
d) It requires plaintext password storage
β
Answer: b) It allows secure delegated access without sharing passwords
π Explanation: OAuth enables secure access delegation, allowing users to grant limited API access to third-party services without sharing credentials.
200. What is the most effective way to secure authentication on public Wi-Fi networks?
a) Using a VPN and MFA
b) Disabling encryption
c) Using weak passwords
d) Logging in through HTTP
β
Answer: a) Using a VPN and MFA
π Explanation: Public Wi-Fi is prone to MITM attacks, so using a VPN and enabling MFA enhances security.