- ATRUE
- BFALSE
Correct option:
FALSE
Explanation:
Identification and authentication are two distinct processes:
Identification is the process of claiming an identity (e.g., entering a username or providing an ID). It's essentially saying, "I am [this person]."
Authentication is the process of verifying that the claimed identity is valid (e.g., entering a password or using biometric data). It’s the step where the system checks if the user is indeed who they claim to be.
Thus, while they are related, they are not the same.
Correct option:
All the above options
Explanation:
To protect an SSO token from theft, spoofing, or forgery, multiple methods are typically employed:
Invalidate the SSO token on server-side after logout: This ensures that the token cannot be used for subsequent authentication once the user logs off, preventing unauthorized access.
Digitally sign and encrypt the token: Digital signing helps protect the token against man-in-the-middle (MITM) attacks by ensuring its integrity, while encryption adds an additional layer of protection, especially by using time-variant encryption that changes over time.
Set the "HttpOnly" attribute for cookies: This prevents client-side JavaScript from accessing the token stored in cookies, reducing the risk of cross-site scripting (XSS) attacks.
All of these methods collectively help ensure the security of the SSO token.
Correct option:
A mechanism that enables a user to sign-in/login/authenticate to an application/system with their credentials only once, and then seamlessly access other applications/systems available in the same domain of trust (e.g. intranet portal of an organization).
Explanation:
Single Sign-On (SSO) is a user authentication process that allows a user to access multiple applications or systems with a single set of login credentials (e.g., username and password). After the initial login, the user can seamlessly navigate to other applications or systems within the same trusted domain without needing to re-enter credentials.
Correct option:
A system or entity which can verify and prove identity to other systems/entities involved in the SSO mechanism. Typically, this is also the entity that generates and verifies the SSO token.
Explanation:
In an SSO (Single Sign-On) solution, the identity provider (IdP) is the entity responsible for authenticating the user and verifying their identity. It provides identity information to other systems (called service providers) by generating and verifying the SSO token or authentication assertion, which allows users to access multiple applications without needing to authenticate again.
The IdP does not necessarily encrypt or provide passwords directly to other systems; instead, it manages user credentials and authentication.
Correct option:
All the above options
Explanation:
All of the listed protocols are commonly used for Single Sign-On (SSO):
Thus, all of these protocols can be used for implementing SSO.
Correct option:
Cross-origin information leakage
Explanation:
The SameSite cookie attribute is designed to prevent cross-origin information leakage by controlling how cookies are sent with cross-site requests. This helps protect against cross-site request forgery (CSRF) attacks by ensuring that cookies are only sent in first-party contexts (i.e., when the user is interacting directly with the site that set the cookie).
It does not directly prevent SQL injection, server misconfiguration issues, or XSS attacks.
Correct option:
The process where stolen account credentials (usernames and/or email addresses and the corresponding passwords), mostly from a data breach, are used to gain unauthorized access.
Explanation:
Credential stuffing is a type of cyberattack where attackers use stolen account credentials (username and password pairs) from one data breach to try and gain unauthorized access to users' accounts on other websites. This works because many people reuse the same login credentials across multiple services. If attackers have access to a breached dataset, they can automate login attempts on various websites, hoping to find users who have reused their credentials.
Correct option:
TRUE
Explanation:
The iOS keychain is a secure storage solution designed to store sensitive information, such as passwords, cryptographic keys, and tokens. In the context of an SSO solution, storing the SSO token in the keychain is a secure way to persist the token across multiple iOS apps. By using a common Apple certificate and App Groups, the token can be shared securely between apps that are signed by the same certificate, ensuring that only authorized apps can access the token.
This method takes advantage of iOS security features to protect sensitive data and allows secure sharing between trusted apps on the same device.
Correct option:
Authentication
Explanation:
Authentication refers to the process of verifying the validity of a claimed identity. It ensures that the user or system claiming a specific identity is actually who they say they are, often through methods like passwords, biometrics, or tokens.
Correct option:
Required
Explanation:
After authentication, it is generally required to generate a new session for the user. This ensures that the user has a unique session to track their interactions with the application and maintain a secure environment. If the application is deployed across multiple servers (e.g., in a load-balanced environment), managing sessions properly becomes even more critical to ensure consistency and security. Without a new session, it could lead to security risks like session hijacking or session fixation.