Identification & Authentication
Identification, authentication, and the AAA chain
A username proves nothing. Treating that presented identifier as if it had authenticated someone is the single misread behind most wrong answers on this topic, because identification (claiming an identity) and authentication (proving the claim) are two ordered steps and the order is load-bearing. Everything downstream inherits the strength of that first proof: get authentication wrong and every authorization decision and every audit record is now confidently attributing actions to the wrong person.
Identification is the act of claiming an identity, presenting an identifier (a username, account number, employee ID) that the system already holds. It carries no trust on its own: an identifier is typically public, often guessable, and asserts nothing about who is really at the keyboard. Authentication is the act of proving that the claimed identity belongs to the subject, by presenting evidence the system can verify. The exam insists these are two ordered steps (you identify first, then authenticate) because a great deal of confusion in answer choices comes from treating a presented username as if it had authenticated anyone.
The AAA chain: who, what, and the record
Identification and authentication are the front of a longer sequence usually labeled AAA: authentication, authorization, and accounting. Authentication answers who the subject is. Authorization (owned by the Authorization Mechanisms subtopic) then decides what that proven subject may do, applying access-control models and least privilege. Accounting (also called auditing) is the logged record that ties each action back to the authenticated identity, which is what makes accountability, and ultimately non-repudiation, possible. The whole chain only holds if the first link is sound: if authentication is weak or an identifier is mistaken for proof, every downstream authorization decision and every audit record is attributing actions to the wrong person.
Keep the four verbs in order and distinct: identify (claim) → authenticate (prove) → authorize (permit) → account (record). Most trap answers on this topic swap two of these, offering an authorization concept when the stem is about proving identity, or calling a username an authentication step. The four verbs run left to right as one chain, each link inheriting the strength of the one before it.
The factor types and what makes authentication multi-factor
This section covers the kinds of evidence authentication can use and the rule that decides when combining them counts as multi-factor. Read it before the biometrics and assurance-level sections, which build on these categories.
Three classic factors, two modern additions
Authentication evidence is grouped by the kind of thing it proves, and there are three classic categories:
- Something you know: a secret committed to memory: a password, PIN, or passphrase. NIST's neutral term is a memorized secret.
- Something you have: possession of a physical or cryptographic object: a smart card, an OTP token, a registered phone, or a FIDO2 security key (a possession factor).
- Something you are: a biometric, a physiological or behavioral trait: fingerprint, iris, face, or voice (an inherence factor).
Two further categories are commonly added but are weak as a sole factor: somewhere you are (geolocation or network context, useful as a risk signal in adaptive authentication, not as standalone proof) and something you do (behavioral biometrics such as keystroke dynamics or gait).
The category rule defines multi-factor, not the count of secrets
Multi-factor authentication (MFA) requires evidence drawn from two or more different categories above. This is the single most-tested distinction in the subtopic, and it is a frequent misread, so state it plainly: stacking two secrets of the same category is still single-factor. A password plus a security question is two pieces of "something you know", single-factor. A password plus a one-time code from a possession device is "know" + "have", genuinely two-factor. The exam dangles "two passwords" or "password + PIN" as a tempting MFA answer precisely because candidates count secrets instead of categories.
Why each factor fails differently
The categories matter because they fail in different ways, and a security leader chooses a combination so that one breach does not defeat the whole login. Knowledge factors are phished, guessed, reused across sites, and shared. Possession factors are lost, stolen, or (for weaker tokens) cloned. Inherence factors carry a unique liability: a biometric template, once compromised, cannot be revoked or reissued the way a password or token can, because you cannot change your fingerprint. That irrevocability is why biometrics are usually paired with a possession factor (e.g. a fingerprint that unlocks a key on a device) rather than used as the sole credential. The figure groups the three classic categories together and the two weaker modern ones apart, with the multi-factor rule stated beneath them.
Biometric accuracy: FAR, FRR, and the crossover error rate
This section explains how biometric systems are measured and which error a security professional treats as the dangerous one. It assumes the factor categories from the previous section.
Two error types that trade off against each other
A biometric matcher compares a presented sample to a stored template and decides match or no-match against a tunable threshold. It can be wrong in two opposite ways, and the CISSP labels both with a Type number and a rate:
- A false accept (an impostor is matched to someone else's template and let in). This is the Type II error, measured as the False Acceptance Rate (FAR). NIST's modern equivalent term is the false match rate (FMR), "the proportion of zero-effort impostor attempt samples falsely declared to match the compared non-self template" (NIST SP 800-140E, via CSRC glossary[1]).
- A false reject (a legitimate enrolled user is wrongly denied). This is the Type I error, measured as the False Rejection Rate (FRR) (NIST: false non-match rate).
The two are linked by the threshold and move in opposite directions: tighten the matcher and FAR falls but FRR rises (more legitimate users are turned away); loosen it and FRR falls but FAR rises (more impostors slip in). You cannot minimize both at once on a fixed system: you choose where on the curve to sit.
The crossover error rate is the single comparison number
Because FAR and FRR depend on the threshold you pick, you cannot compare two systems by quoting one rate. The comparison metric is the Crossover Error Rate (CER), also called the Equal Error Rate (EER): the threshold setting at which FAR and FRR are equal. The lower a system's CER, the more accurate it is overall, independent of how any one deployment is tuned. When a question asks which of two biometric systems is more accurate, the answer is the one with the lower CER.
Which error matters for security
The two errors are not equally serious. A false reject (Type I/FRR) is an inconvenience: a valid user retries or falls back to a help desk. A false accept (Type II/FAR) is a security breach: an impostor has been authenticated as someone else. So when a deployment is tuned, a security-conscious setting accepts a somewhat higher FRR to keep FAR low; tuning the system to stop annoying users (driving FRR to zero) by loosening the threshold raises FAR and is the wrong call for a high-security gate. A separate enrollment metric, the failure-to-enroll rate (FER), measures users whose trait cannot be captured well enough to enroll at all (e.g. worn fingerprints), a usability and inclusivity concern distinct from the two matching errors.
Proofing (IAL), assurance (AAL), and credential lifecycle
This section covers what happens before a credential exists and what governs its strength, drawing on the NIST SP 800-63 digital-identity model. Read it after the factor types, because assurance levels are expressed in terms of factors.
Identity proofing comes first, and is graded as IAL
Before any authenticator is bound to a person, the identity must be established. Identity proofing (the establishment step within enrollment, and loosely called registration) is that establishment, and NIST SP 800-63A breaks it into three steps: resolution ("uniquely distinguish an individual within a given population or context"); validation (collect appropriate identity evidence and "determine its authenticity, validity, and accuracy" against the issuing or an authoritative source); and verification ("confirm and establish a linkage between the claimed identity and the real-life existence of the subject presenting the evidence," e.g. by biometric or physical comparison) (NIST SP 800-63A[2]). The rigor of proofing is the Identity Assurance Level (IAL): IAL1 attributes are self-asserted with no evidence; IAL2 requires validated evidence collected remotely or in person; IAL3 requires in-person (or supervised-remote) proofing by an authorized representative (NIST SP 800-63-3[3]).
Authentication strength is graded separately as AAL
How strongly the login proves possession of the authenticator is the Authenticator Assurance Level (AAL), defined in NIST SP 800-63B. AAL1 permits single-factor authentication; AAL2 requires two distinct factors and approved cryptography; AAL3 requires a hardware-based authenticator and verifier-impersonation (phishing) resistance, demonstrated by proof of possession of a key through a cryptographic protocol (NIST SP 800-63B[4]). The exam-critical point, and a deliberate trap, is that IAL and AAL are independent: a self-asserted IAL1 account can still require AAL2 login, and an IAL3-proofed identity can be issued an AAL1 credential. A security leader sets each from the risk of the transaction, never assuming one implies the other.
Modern NIST guidance overturns two old password habits
Two legacy "best practices" are now explicitly discouraged by NIST, and the exam has begun to reflect this. First, do not force periodic password expiry: verifiers "SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)," but SHALL force a change on evidence of compromise. Second, do not impose composition rules (mandatory mixed character classes); instead, check candidate passwords against lists of known-compromised secrets and allow long passphrases (NIST SP 800-63B[4]). NIST also classifies SMS / PSTN-delivered one-time codes as a RESTRICTED authenticator because of SIM-swap and number-porting risk: usable, but the verifier must warn subscribers and offer a non-restricted alternative.
Credential management and just-in-time issuance
A credential management system governs the full lifecycle of authenticators: issuance, binding to a proofed identity, renewal, rotation, suspension, and revocation. The lifecycle principle a leader applies is to minimize standing credentials: just-in-time (JIT) provisioning grants access only at the moment of need and for a bounded time, so there is no long-lived privileged credential sitting idle to be stolen. JIT is most valuable for privileged or rarely-used access, where a standing administrator credential is a high-value, always-available target. The proofing steps run in order (resolution, then validation, then verification) before any authenticator is bound, as the figure shows.
SSO, session management, and passwordless
This section covers what happens after a successful authentication (how a single proof is reused and how long it stays valid) plus the passwordless model that is reshaping the factor mix. It assumes the AAL levels from the previous section.
Single sign-on: one authentication, many systems
Single sign-on (SSO) lets a user authenticate once to a central authority and then reach many connected applications without re-presenting credentials. Its benefits are real: less password fatigue (so fewer reused or written-down passwords), one place to enforce MFA, and one switch to disable an account everywhere on termination. Its risk is concentration of blast radius: a stolen SSO session is access to every connected system at once. That single trade-off is why SSO is always paired with strong authentication at the identity provider and with disciplined session controls: it raises the value of compromising that one login. (The protocols that carry SSO assertions, SAML, OIDC/OAuth, and the cross-organization trust they enable belong to the Authentication Systems and Federated Identity subtopics; this subtopic owns the strategy, not the wire format.)
Session management bounds how long a proof lasts
A successful authentication produces a session, and a session must not live forever: a long-lived session is an authentication that can be hijacked long after the user walked away. NIST SP 800-63B sets concrete bounds tied to AAL: at AAL2, reauthenticate at least every 12 hours regardless of activity and after 30 minutes of inactivity (a single factor MAY be used to resume); at AAL3, the inactivity limit tightens to 15 minutes and resuming the session SHALL use both factors (NIST SP 800-63B[4]). Beyond timeouts, sound session management means binding the session to the authenticated subject, regenerating the session identifier on privilege change, and invalidating the session server-side on logout, so that ending a session actually ends it.
Passwordless and FIDO2 remove the most-attacked factor
Passwordless authentication eliminates the memorized secret, replacing it with a possession factor: a cryptographic key in a hardware authenticator or device secure element, typically unlocked locally by a biometric or PIN (so the biometric authorizes local use of the key and never travels). The canonical standard is FIDO2 / WebAuthn: the authenticator holds a private key that never leaves it, and each credential is bound to a specific relying-party origin. Because the signature only validates for the real origin, a credential captured on a look-alike phishing site cannot be replayed against the genuine site: this origin-binding is exactly the verifier-impersonation resistance NIST requires at AAL3. The decision a leader weighs is removing the reusable password (the factor behind most credential-theft and phishing breaches) against the operational cost of provisioning hardware authenticators and handling their loss and recovery.
Exam-pattern recognition
This section maps question shapes to the right answer. Read the others first; this is the pattern layer.
Pattern 1: "Is this multi-factor?" Count categories, not secrets. Password + security question, or password + PIN, are both "something you know" → single-factor (the classic trap answer dressed up as MFA). Password + OTP token, or PIN + smart card, cross categories → genuine MFA. The distractor always offers two same-category secrets and calls them two factors.
Pattern 2: "Which biometric error / which is more accurate?" A false accept (impostor admitted) is the Type II error / FAR and is the security-critical one; a false reject is Type I / FRR, merely an inconvenience. "Which system is more accurate?" → the one with the lower CER (Crossover/Equal Error Rate) (NIST glossary[1]). Traps: swapping Type I/II, or claiming a low FRR alone proves accuracy (it doesn't; only CER compares systems independent of tuning).
Pattern 3: "Identification vs authentication vs authorization." A presented username/ID is identification (a claim), not authentication; proving the claim is authentication; deciding what the proven subject may do is authorization. Stems describing "the user entered their username" and asking what just happened → identification. The trap calls the username step authentication.
Pattern 4: IAL vs AAL independence. Proofing rigor = IAL (SP 800-63A); login strength = AAL (SP 800-63B); they are set independently (NIST SP 800-63-3[3]). A stem implying that strong login (AAL3) guarantees a well-proofed identity (IAL3), or vice versa, is the trap: strong authentication of a weakly-proofed account just confidently authenticates the wrong person.
Pattern 5: phishing-resistant / AAL3. A requirement for resistance to credential phishing or verifier impersonation points to a hardware authenticator with FIDO2/WebAuthn origin-binding, the AAL3 profile (NIST SP 800-63B[4]). SMS one-time codes are the wrong answer here: NIST classifies PSTN/SMS delivery as a RESTRICTED authenticator (SIM-swap risk), and it offers no phishing resistance.
Pattern 6: modern password policy. When a stem asks for the BEST password practice, the NIST-aligned answer is to screen against breached-password lists and stop forcing periodic expiry / composition rules (NIST SP 800-63B[4]). The trap is the old habit, "require 90-day rotation" or "mandate mixed character classes," which NIST now advises against absent evidence of compromise.
Pattern 7: SSO benefit vs risk. SSO's benefit is centralized authentication and reduced password fatigue; its risk is a single compromised session reaching every connected system. A stem listing SSO's downside is testing that concentration-of-risk idea, not a protocol detail (those belong to Authentication Systems).
The three classic authentication factor types
| Property | Something you know | Something you have | Something you are |
|---|---|---|---|
| Example | Password, PIN, passphrase | Token, smart card, FIDO2 key, phone | Fingerprint, iris, face, voice |
| Proves | Knowledge of a secret | Possession of an object/key | A physiological/behavioral trait |
| Main weakness | Phished, guessed, reused, shared | Lost, stolen, cloned | Cannot be revoked or changed if leaked |
| Accuracy concern | Password strength / reuse | Theft of the device/key | FAR vs FRR balance (CER) |
| Revocable | Yes (change the secret) | Yes (deactivate the token) | No (the trait is permanent) |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Identification is a claim; authentication is the proof. They are separate, ordered steps
Identification is presenting an identifier the system already knows (a username, account number, employee ID), and it carries no trust on its own because an identifier is usually public and guessable. Authentication is then proving that the claimed identity belongs to you by presenting evidence the system can verify. The exam tests these as distinct, ordered steps: you identify first, then authenticate, and only a proven identity feeds authorization.
Trap Treating a presented username, email, or account number as having authenticated the subject. An identifier is a public claim, never proof.
- Keep the chain straight: identify, authenticate, authorize, account
The full access sequence is identification (claim who you are) then authentication (prove it) then authorization (decide what the proven subject may do) then accounting/auditing (the logged record tying actions back to the identity). Accounting is what makes accountability and ultimately non-repudiation possible. The chain only holds if the first links are sound, because a weak authentication step makes every downstream authorization decision and audit record attribute actions to the wrong person.
Trap Placing authorization before authentication, or treating accounting as an optional add-on rather than the link that delivers accountability and non-repudiation.
- Authentication evidence comes in three classic factor types: know, have, are
The three classic factors are something you know (a password, PIN, or passphrase; NIST's neutral term is a memorized secret), something you have (a token, smart card, registered phone, or FIDO2 key; a possession factor), and something you are (a biometric such as fingerprint, iris, face, or voice; an inherence factor). Two weaker modern categories are sometimes added: somewhere you are (geolocation/network context, useful as a risk signal in adaptive authentication) and something you do (behavioral biometrics like keystroke dynamics).
Trap Classifying 'somewhere you are' (location) as one of the three classic factors, when the canonical three are only know, have, and are.
- Multi-factor authentication is defined by combining different factor CATEGORIES, not by counting secrets
MFA requires evidence from two or more different factor categories, so a password plus a one-time code from a possession device (know + have) is genuine two-factor. Stacking two secrets of the same category is still single-factor no matter how many you add. This is the single most-tested distinction in the subtopic because candidates instinctively count secrets instead of categories.
Trap Calling a password plus a security question (or password plus PIN) multi-factor. Both are 'something you know,' so it is still single-factor.
4 questions test this
- A security architect is designing an MFA solution for a financial services organization. The business requires that the authentication…
- Maria's organization requires her to authenticate using a 6-digit PIN on her smartphone, then provide a fingerprint scan on the same device…
- A security manager at an insurance company must quickly reduce the risk that stolen or reused passwords give attackers remote access to a…
- An organization currently authenticates users with a password followed by an email-based one-time passcode sent to the user's cloud email…
- A leaked biometric cannot be revoked the way a password or token can
Each factor type fails differently, which is why a leader combines categories so one breach does not defeat the whole login. Knowledge factors are phished, guessed, reused, and shared; possession factors are lost, stolen, or cloned; inherence factors carry a unique liability: a compromised biometric template cannot be revoked or reissued because you cannot change your fingerprint. That irrevocability is why biometrics are usually paired with a possession factor (a fingerprint unlocking a key on a device) rather than used as the sole credential.
Trap Assuming a compromised biometric can simply be reset or reissued like a leaked password or replaced token, when the trait itself cannot be changed.
- A false ACCEPT is the security-critical biometric error, not a false reject
A biometric matcher can fail two opposite ways. A false accept admits an impostor and is the Type II error, measured as the False Acceptance Rate (FAR); a false reject wrongly denies a legitimate user and is the Type I error, measured as the False Rejection Rate (FRR). The false accept is the security breach because an impostor has been authenticated as someone else, while a false reject is merely an inconvenience the user retries, so a security-conscious deployment accepts a higher FRR to keep FAR low.
Trap Swapping the Type numbers. False accept is Type II / FAR, false reject is Type I / FRR; the exam reverses them to catch you.
4 questions test this
- A security administrator is configuring a fingerprint biometric system to protect a high-security data center. The administrator wants to…
- A security manager needs to select a biometric system for a nuclear research facility where preventing unauthorized access is the HIGHEST…
- An organization is deploying biometric authentication for physical access control at a high-security research facility. The security team…
- A security architect is configuring a biometric fingerprint system for a high-security data center. The system must minimize the risk of…
- Compare biometric systems by the lower Crossover Error Rate (CER / EER)
Because FAR and FRR both depend on the matching threshold and trade off against each other, you cannot compare two systems by quoting one rate. The single comparison metric is the Crossover Error Rate (CER), also called the Equal Error Rate (EER): the threshold setting where FAR equals FRR. A lower CER means a more accurate system overall, independent of how any one deployment is tuned, so the more-accurate system is the one with the lower CER.
Trap Claiming a low FRR alone proves a system is more accurate. Only the CER compares systems independent of how the threshold is tuned.
4 questions test this
- A security architect is selecting a biometric system for a high-security government facility. The vendor provides performance metrics…
- A security architect is evaluating biometric authentication systems for a high-security facility. The vendor provides documentation showing…
- An organization is evaluating biometric authentication systems and wants to find the point at which the system provides the optimal balance…
- An organization is evaluating biometric authentication systems and wants to select one with optimal balance between security and usability.…
- Tightening the matcher lowers FAR but raises FRR. You cannot minimize both at once
FAR and FRR are linked by one tunable threshold and move in opposite directions: tighten the matcher and false accepts fall while false rejects rise; loosen it and the reverse happens. On a fixed system you choose where on the curve to sit, not how to zero out both. A separate enrollment metric, the failure-to-enroll rate (FER), counts users whose trait cannot be captured well enough to enroll at all: a usability and inclusivity concern distinct from the two matching errors.
Trap Loosening the threshold to drive false rejects to zero so users stop being annoyed. That raises FAR, the security-critical error, and is the wrong call for a high-security gate.
7 questions test this
- A security administrator is configuring a fingerprint biometric system to protect a high-security data center. The administrator wants to…
- A security architect is evaluating biometric authentication systems for a high-security facility. The vendor provides documentation showing…
- An organization is evaluating biometric authentication systems and wants to find the point at which the system provides the optimal balance…
- A security manager needs to select a biometric system for a nuclear research facility where preventing unauthorized access is the HIGHEST…
- A biometric access control system administrator notices that legitimate employees are frequently being denied access while the system…
- An organization is deploying biometric authentication for physical access control at a high-security research facility. The security team…
- A security architect is configuring a biometric fingerprint system for a high-security data center. The system must minimize the risk of…
- Identity proofing runs resolution, validation, then verification, before any credential is issued
Identity proofing (also called registration or enrollment), governed by NIST SP 800-63A, establishes the real-world identity before an authenticator is bound to it. It has three ordered steps: resolution uniquely distinguishes the person within a population, validation confirms the presented evidence is genuine and current against its issuing source, and verification binds the live person to that validated evidence (e.g. by biometric or physical comparison). Strong authentication on a weakly-proofed account is worthless because you are confidently authenticating the wrong person.
Trap Reordering the steps so verification (binding the live person) comes before validation (confirming the evidence is genuine), when validation must establish the evidence is real first.
- Identity Assurance Level (IAL) grades how rigorously the identity was proofed
IAL measures proofing rigor under NIST SP 800-63A: IAL1 attributes are self-asserted with no evidence, IAL2 requires validated evidence collected remotely or in person, and IAL3 requires in-person or supervised-remote proofing by an authorized representative. The higher the IAL, the more confident you are that the account maps to a real, distinct person. IAL governs enrollment, not the strength of any individual login.
Trap Treating IAL as a measure of how strongly the user logs in, when IAL grades proofing rigor at enrollment and AAL grades login strength.
- Authenticator Assurance Level (AAL) grades login strength and is set independently of IAL
AAL, defined in NIST SP 800-63B, grades how strongly the login proves possession of the authenticator: AAL1 permits single-factor, AAL2 requires two distinct factors and approved cryptography, and AAL3 requires a hardware-based authenticator plus verifier-impersonation (phishing) resistance proven by possession of a cryptographic key. The exam-critical point is that IAL and AAL are independent: a self-asserted IAL1 account can still demand AAL2 login, and an IAL3-proofed identity can carry an AAL1 credential.
Trap Assuming a strong login (AAL3) implies a well-proofed identity (IAL3) or vice versa. They are set separately from the transaction's risk.
- AAL3 requires a hardware authenticator AND verifier-impersonation resistance
AAL3 is the phishing-resistant tier: it demands a hardware-based authenticator and proof against verifier impersonation, demonstrated by proving possession of a cryptographic key through a protocol bound to the verifier. A software-only or push-approval second factor does not reach AAL3 because it can be relayed by an attacker-in-the-middle. When a stem requires resistance to credential phishing or verifier impersonation, the answer points to a hardware FIDO2/WebAuthn authenticator.
Trap Picking a push-approval or app-generated TOTP second factor as AAL3-compliant, when those can be relayed by an attacker-in-the-middle and only a hardware key bound to the verifier qualifies.
4 questions test this
- A CISO is hardening workforce authentication for a privileged group whose accounts are repeatedly targeted by credential-phishing and…
- An enterprise security team is evaluating authentication methods that provide strong resistance to remote phishing attacks. The team wants…
- According to NIST SP 800-63B, which type of multi-factor authentication provides the strongest protection against phishing attacks?
- A financial services organization wants to implement phishing-resistant MFA for privileged administrators accessing critical systems. Which…
- Passwordless FIDO2/WebAuthn binds the credential to the origin, so a phished credential cannot be replayed
Passwordless authentication replaces the memorized secret with a possession factor: a cryptographic key held in a hardware authenticator or device secure element, typically unlocked locally by a biometric or PIN so the biometric authorizes local use and never travels. FIDO2/WebAuthn is the canonical model: the private key never leaves the authenticator and each credential is bound to a specific relying-party origin, so a signature captured on a look-alike phishing site will not validate against the real origin. This origin-binding is exactly the verifier-impersonation resistance NIST requires at AAL3.
Trap Assuming the local biometric or PIN that unlocks a FIDO2 authenticator is transmitted to the server, when it only authorizes local key use and never travels off the device.
8 questions test this
- A security manager at a regional bank is hardening access to a customer-facing online banking portal after a wave of credential-stuffing…
- A security manager at a professional services firm with a largely remote workforce faces two persistent problems: credential phishing…
- A CISO is hardening workforce authentication for a privileged group whose accounts are repeatedly targeted by credential-phishing and…
- An enterprise security team is evaluating authentication methods that provide strong resistance to remote phishing attacks. The team wants…
- An organization is implementing FIDO2 hardware security keys for phishing-resistant authentication across its enterprise. During the…
- A CISO is evaluating MFA solutions and learns that some methods are vulnerable to real-time phishing attacks where attackers intercept…
- According to NIST SP 800-63B, which type of multi-factor authentication provides the strongest protection against phishing attacks?
- A financial services organization wants to implement phishing-resistant MFA for privileged administrators accessing critical systems. Which…
- NIST now discourages forced periodic password expiry and composition rules
Modern NIST SP 800-63B guidance overturns two legacy password habits: verifiers should not force memorized secrets to be changed arbitrarily (e.g. periodically) but must force a change on evidence of compromise, and they should not impose composition rules requiring mixed character classes. Instead, screen candidate passwords against lists of known-compromised secrets and allow long passphrases. When a stem asks the BEST modern password practice, the breach-list-screening answer beats the old rotation/composition habits.
Trap Choosing '90-day rotation' or 'mandate mixed character classes' as best practice. NIST now advises against both absent evidence of compromise.
3 questions test this
- An organization's security architect is updating the enterprise password policy to align with current NIST SP 800-63B guidelines. The…
- An organization is reviewing its password policy in preparation for aligning with current NIST SP 800-63B recommendations. The security…
- A security architect is reviewing the organization's password policy that mandates password changes every 60 days regardless of…
- NIST classifies SMS/PSTN one-time codes as a RESTRICTED authenticator
One-time codes delivered over SMS or the public telephone network are usable but RESTRICTED under NIST SP 800-63B because of SIM-swap and number-porting risk; a verifier using them must warn subscribers and offer a non-restricted alternative. SMS codes also provide no phishing resistance, so they are the wrong answer when a question asks for verifier-impersonation-resistant or AAL3 authentication. Treat SMS OTP as a weak possession factor, not a phishing-resistant one.
Trap Offering an SMS one-time code as a phishing-resistant or AAL3 answer, when it is a RESTRICTED authenticator exposed to SIM-swap and provides no verifier-impersonation resistance.
- Session management bounds how long a single authentication stays valid
A successful authentication produces a session that must not live forever, because a long-lived session is an authentication that can be hijacked long after the user left. NIST SP 800-63B sets concrete bounds tied to AAL: at AAL2, reauthenticate at least every 12 hours regardless of activity and after 30 minutes of inactivity (a single factor may resume); at AAL3 the inactivity limit tightens to 15 minutes and resuming the session requires both factors. Sound session management also means binding the session to the subject, regenerating the session identifier on privilege change, and invalidating it server-side on logout.
Trap Allowing a single factor to resume an AAL3 session after inactivity, when AAL3 tightens the inactivity limit to 15 minutes and requires both factors to resume.
- Single sign-on trades reduced password fatigue for concentrated blast radius
SSO lets a user authenticate once to a central identity provider and reach many connected applications without re-entering credentials, which reduces password fatigue, centralizes MFA enforcement, and gives one switch to disable an account everywhere on termination. Its risk is concentration: a stolen SSO session is access to every connected system at once, which is why SSO is always paired with strong authentication at the identity provider and disciplined session controls. The wire protocols that carry SSO assertions belong to authentication-systems; this subtopic owns the strategy and the risk trade-off.
Trap Selecting SSO as a control that reduces the blast radius of a credential compromise, when it concentrates risk so one stolen session reaches every connected system.
3 questions test this
- A security manager at a retailer is addressing employee frustration and inconsistent security caused by twelve internally owned web…
- A security lead at a hospital network is responding to clinician complaints that logging in separately to a dozen distinct clinical…
- A security architect is implementing Single Sign-On (SSO) for an enterprise with multiple cloud and on-premises applications. Which of the…
- Just-in-time provisioning issues short-lived credentials so there is no standing target
A credential management system governs the full authenticator lifecycle: issuance, binding to a proofed identity, renewal, rotation, suspension, and revocation. The lifecycle principle a leader applies is to minimize standing credentials: just-in-time (JIT) provisioning grants access only at the moment of need and for a bounded time, so no long-lived privileged credential sits idle to be stolen. JIT is most valuable for privileged or rarely-used access, where a standing administrator credential is a high-value, always-available target.
Trap Issuing a permanent standing administrator credential and relying on rotation alone, when JIT provisioning removes the always-available target entirely.
- Regenerate the session ID at login to defeat session fixation
Session fixation occurs when an application keeps the same session identifier before and after authentication, letting an attacker who planted or knows the pre-login session ID ride the authenticated session. The mandatory remediation is to generate a fresh session ID immediately upon successful authentication, invalidating any pre-set value.
Trap confusing session fixation (reuse of a pre-set ID) with session hijacking of a token already in use
4 questions test this
- During a security review, an analyst discovers that the web application maintains the same session identifier before and after user…
- A security analyst discovers that when users authenticate to a web application, the server continues using the same session identifier that…
- A web application security team discovers that attackers are successfully accessing user accounts by setting session identifiers in…
- A web application developer needs to prevent session fixation attacks. Which control is mandatory to implement according to OWASP session…
- Use a slow memory-hard KDF, and store any pepper in an HSM/vault separate from the database
Salting (a unique per-password random value stored with the hash) defeats precomputed rainbow tables but not targeted cracking. For offline-cracking resistance use a deliberately slow function: Argon2id (memory-hard, resists GPU/ASIC) when there is no FIPS constraint, or PBKDF2 with HMAC-SHA-256 at a high iteration count when FIPS-140 validation is required. A pepper is a single secret shared across all hashes, so it must live in an HSM or secrets vault, never alongside the password database.
Trap storing the pepper with the hashes like a salt, or picking a fast general-purpose hash (MD5/SHA-256) instead of a tuned KDF
6 questions test this
- A development team is implementing password storage security controls and wants to add an additional layer of protection beyond salting.…
- A security engineer is selecting a password hashing algorithm for a new web application that does not require FIPS-140 compliance. The…
- An organization must implement password storage that meets federal security requirements including FIPS-140 certification. The security…
- An organization is enhancing their password storage security by implementing a peppering strategy alongside salted password hashing. Where…
- During a security assessment, an analyst discovers that a legacy application stores passwords using unsalted MD5 hashes. What is the…
- An organization is implementing a new password storage system and must comply with FIPS-140 requirements. Which hashing algorithm should…
- Sessions end at whichever timeout hits first; zero trust adds continuous evaluation
Configure both an inactivity timeout and an overall (absolute) reauthentication timeout; the session terminates when either limit is reached first. NIST SP 800-63B sets AAL2 limits of reauthentication at least once every 12 hours regardless of activity, and reauthentication after any inactivity period of 30 minutes or longer. Beyond static timers, zero trust uses continuous access evaluation, reassessing session validity at each access point on live risk signals.
Trap treating the two timeouts as alternatives (only one applies) or relying on static timeouts alone under a zero-trust mandate
3 questions test this
- An organization is implementing session management for a healthcare application containing protected health information. The security team…
- An organization is implementing a zero trust architecture and wants to ensure that access decisions are continuously evaluated throughout…
- A security architect is designing an access control system that evaluates session security in real-time rather than relying on static…
Also tested in
References
- NIST CSRC Glossary: false match rate (FMR) Whitepaper
- NIST SP 800-63A: Digital Identity Guidelines: Enrollment and Identity Proofing Whitepaper
- NIST SP 800-63-3: Digital Identity Guidelines (IAL/AAL/FAL assurance levels) Whitepaper
- NIST SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management Whitepaper