A project team is developing requirements of the new version of a web application used by internal
and external users. The application already features username and password requirements for
login, but the organization is required to implement multifactor authentication to meet regulatory
requirements. Which of the following would be added requirements will satisfy the regulatory
requirement? (Select THREE.)
A.
Digital certificate
B.
Personalized URL
C.
Identity verification questions
D.
Keystroke dynamics
E.
Tokenized mobile device
F.
Time-of-day restrictions
G.
Increased password complexity
H.
Rule-based access control
A,D,E satisfy these requirements. Identity Verification Questions are considered Something You Know – same as the username / password.
2
0
Keystroke dynamics is something you do. I pick A, D, E
2
0
A, D, E
1
0
I agree with A, D, E. However, establishing ID is not a factor of authentication. In reality, you need who you are (keystroke dynamics is consider biometrics) and what you have (token). What you know is name and password. Also making this question a mess is the idea that multifactor is three or more factors. Two factor is also multifactor meaning that you could substitute verification questions (what you know) for either of the biometric or token answer. This is a poor question but the best answer is still ADE.
1
0
So We have a WEBAPP intended for internal and external users
A digital Certificate is a Given. So A is an answer
Personalized URL. This is a “cosmetic” feature, and not a “security” one. This eliminates B
Identity verification Questions- Also called “identity proofing” or “vetting an ID,” identity verification is used to confirm an identity in instances where the customer is not standing before you to show some sort of picture ID. It’s a real-time, electronic process that validates the personal information provided by a consumer. This is more often used by Call Centers than by WEBAPPS – This eliminates C
Keystroke dynamics – The behavioral biometric of Keystroke Dynamics uses the manner and rhythm in which an individual types characters on a keyboard or keypad
Tokenized mobile device
Time-of-day restrictions – Time-of-day restrictions is a red-herring and not a requirement – This eliminates F
Increased password complexity – The application already features username and password requirements for login: This eliminates G for sure
Rule-based access control – Rule-based access control is Using an ordered list of authentication rules, rule-based authentication provides support for multiple realm, multiple domain, and other special authentication requirements. When a request is processed, the rule list is traversed top to bottom, and the first match is applied. It is not best used for WEB apps. This eliminates H
So we eliminated the following:
B is wrong
C is wrong
F is wrong
G is wrong
H is wrong
So out of 8 possible answers, we eliminated 5 leaving us with:
A –Which we know to be right
D– Keystroke dynamics
E– Tokenized mobile device
So in a long winded way, I concur “I agree with A, D, E. However, establishing ID is not a factor of authentication. In reality, you need who you are (keystroke dynamics is consider biometrics) and what you have (token). What you know is name and password. Also making this question a mess is the idea that multifactor is three or more factors. Two factor is also multifactor meaning that you could substitute verification questions (what you know) for either of the biometric or token answer. This is a poor question but the best answer is still ADE.”
1
0