4. Passwords that are hard for users to remember

a. 2 only

b. 2 and 3

c. 2, 3, and 4

d. 1, 2, 3, and 4

116. d. Automatically generated random (or pseudo-random) passwords usually provide greater entropy, are hard for attackers to guess or crack, stronger passwords, but at the same time are hard for users to remember.

117. In biometrics-based identification and authentication techniques, which of the following indicates that security is unacceptably weak?

a. Low false acceptance rate

b. Low false rejection rate

c. High false acceptance rate

d. High false rejection rate

117. c. The trick is balancing the trade-off between the false acceptance rate (FAR) and false rejection rate (FRR). A high FAR means that security is unacceptably weak.

A FAR is the probability that a biometric system can incorrectly identify an individual or fail to reject an imposter. The FAR given normally assumes passive imposter attempts, and a low FAR is better. The FAR is stated as the ratio of the number of false acceptances divided by the number of identification attempts.

An FRR is the probability that a biometric system will fail to identify an individual or verify the legitimate claimed identity of an individual. A low FRR is better. The FRR is stated as the ratio of the number of false rejections divided by the number of identification attempts.

118. In biometrics-based identification and authentication techniques, which of the following indicates that technology used in a biometric system is not viable?

a. Low false acceptance rate

b. Low false rejection rate

c. High false acceptance rate

d. High false rejection rate

118. d. A high false rejection rate (FRR) means that the technology is creating a (PP) nuisance to falsely rejected users thereby undermining user acceptance and questioning the viability of the technology used. This could also mean that the technology is obsolete, inappropriate, and/or not meeting the user’s changing needs.

A false acceptance rate (FAR) is the probability that a biometric system will incorrectly identify an individual or fail to reject an imposter. The FAR given normally assumes passive imposter attempts, and a low FAR is better and a high FAR is an indication of a poorly operating biometric system, not related to technology. The FAR is stated as the ratio of the number of false acceptances divided by the number of identification attempts.

A FRR is the probability that a biometric system will fail to identify an individual or verify the legitimate claimed identity of an individual. A low FRR is better. The FRR is stated as the ratio of the number of false rejections divided by the number of identification attempts.

119. In biometrics-based identification and authentication techniques, what is a countermeasure to mitigate the threat of identity spoofing?

a. Liveness detection

b. Digital signatures

c. Rejecting exact matches

d. Session lock

119. a. An adversary may present something other than his own biometric to trick the system into verifying someone else’s identity, known as spoofing. One type of mitigation for an identity spoofing threat is liveness detection (e.g., pulse or lip reading). The other three choices cannot perform liveness detection.

120. In biometrics-based identification and authentication techniques, what is a countermeasure to mitigate the threat of impersonation?

a. Liveness detection

b. Digital signatures

c. Rejecting exact matches

d. Session lock

120. b. Attackers can use residual data on the biometric reader or in memory to impersonate someone who authenticated previously. Cryptographic methods such as digital signatures can prevent attackers from inserting or swapping biometric data without detection. The other three choices do not provide cryptographic measures to prevent impersonation attacks.

121. In biometrics-based identification and authentication techniques, what is a countermeasure to mitigate the threat of replay attack?

a. Liveness detection

b. Digital signatures

c. Rejecting exact matches

d. Session lock

121. c. A replay attack occurs when someone can capture a valid user’s biometric data and use it at a later time for unauthorized access. A potential solution is to reject exact matches, thereby requiring the user to provide another biometric sample. The other three choices do not provide exact matches.

122. In biometrics-based identification and authentication techniques, what is a countermeasure to mitigate the threat of a security breach from unsuccessful authentication attempts?

a. Liveness detection

b. Digital signatures

c. Rejecting exact matches

d. Session lock

122. d. It is good to limit the number of attempts any user can unsuccessfully attempt to authenticate. A session lock should be placed where the system locks the user out and logs a security event whenever a user exceeds a certain amount of failed logon attempts within a specified timeframe.

The other three choices cannot stop unsuccessful authentication attempts. For example, if an adversary can repeatedly submit fake biometric data hoping for an exact match, it creates a security breach without a session lock. In addition, rejecting exact matches creates ill will with the genuine user.

123. In the single sign-on technology, timestamps thwart which of the following?

a. Man-in-the-middle attack

b. Replay attack

c. Social engineering attack

d. Phishing attack

123. b. Timestamps or other mechanisms to thwart replay attacks should be included in the single sign-on (SSO) credential transmissions. Man-in-the-middle (MitM) attacks are based on authentication and social engineering, and phishing attacks are based on passwords.

124. Which of the following correctly represents the flow in the identity and authentication process involved in the electronic authentication?

a. Claimant⇒Authentication Protocol⇒Verifier

b. Claimant⇒Authenticator⇒Verifier

c. Verifier⇒Claimant⇒Relying Party

d. Claimant⇒Verifier⇒Relying Party

124. d. The party to be authenticated is called a claimant and the party verifying that identity is called a verifier. When a claimant successfully demonstrates possession and control of a token in an online authentication to a verifier through an authentication protocol, the verifier can verify that the claimant is the subscriber. The verifier passes on an assertion about the identity of the subscriber to the relying party. The verifier must verify that the claimant has possession and control of the token that verifies his identity. A claimant authenticates his identity to a verifier by the use of a token and an authentication protocol, called proof-of-possession protocol.

The other three choices are incorrect as follows: