Security Engineering
Authentication & Identity
9 practice questions. Free questions open a full answer guide; the rest unlock with Pro.
- Why is SMS or TOTP-based MFA considered weaker than passkeys, and what makes an authentication factor phishing-resistant?
- When your service accepts a JWT as proof of identity, what does correct validation look like, and what are the classic mistakes that let an attacker forge or replay one?Go Pro
- What's the difference between session-based authentication and token-based (JWT) authentication, and how do you keep the credential safe in the user's browser either way?Go Pro
- What is the difference between authentication and authorization, and where do OAuth 2.0 and OpenID Connect fit?Go Pro
- What is multi-factor authentication, and why are some MFA methods considered stronger than others?Go Pro
- Bearer tokens can be stolen and replayed. How do you make an OAuth access token useless to an attacker who exfiltrates it, and what are the trade-offs of the options?Go Pro
- What's the difference between OAuth 2.0 and OpenID Connect, and when would you reach for each?Go Pro
- Why are static, long-lived credentials in CI and across services considered an anti-pattern, and how do you replace them with short-lived workload identity?Go Pro
- Your company has MFA on everything but is still seeing account takeovers. How do you reason about why MFA is being bypassed and what you'd move the organization toward?Go Pro
Want questions matched to your role? Paste a job title, job description, or CV for a personalized set, or go Pro to unlock the full bank.