Chapter 98 · Quiz

Multifactor Authentication — Quiz

Six multiple-choice questions and four matching questions. Submit for instant scoring and explanations.

Question 1 of 6
A user accesses a banking application by entering a password and then entering a 6-digit code generated by an app on their smartphone. The code changes every 30 seconds. Which two authentication factors are in use, and why does this combination qualify as true MFA?
Question 2 of 6
A security administrator is configuring authentication for a high-security government system. Users must present a physical card with an embedded microprocessor containing cryptographic keys, and must also enter a PIN. The card is useless without the PIN, and the PIN is useless without the card. Which authentication mechanism is this, and which two factors does it combine?
Question 3 of 6
An organization stores biometric data for fingerprint authentication. A security researcher asks what exactly is stored in the biometric database. Which answer is correct?
Question 4 of 6
A penetration tester conducts a SIM-swapping attack, convincing a carrier to transfer a target's phone number to an attacker-controlled SIM. The attacker then uses the target's stolen password to initiate a login. The authentication system sends a one-time code via SMS. The attacker receives the code and successfully authenticates. Which MFA factor was bypassed, and what stronger alternative would have prevented this?
Question 5 of 6
A company uses IP address geolocation as a location-based authentication factor. A user in Chicago authenticates from an IP address that geolocates to Frankfurt. The system flags this as suspicious. What is the primary limitation of IP-based geolocation as an authentication factor, and why is it still valuable?
Question 6 of 6
A biometric system has a False Acceptance Rate of 0.01% and a False Rejection Rate of 5%. What do these metrics mean, and which metric represents the greater security risk vs. usability issue?

Matching

Match each authentication method to the correct MFA factor category.

1. A physical device the size of a USB drive that stores cryptographic keys and certificates; plugs into a USB port; authentication is phishing-resistant because it is cryptographically bound to the specific site's domain
2. The user's iris pattern captured during enrollment; converted to a mathematical model stored in the authentication system; cannot be changed if the database is compromised
3. A 6-digit numeric code generated by a smartphone application that changes every 30 seconds using a shared seed value and the current timestamp; requires access to the registered device
4. The user's GPS coordinates reported by the authenticating device; used to verify that the login originates from an expected geographic area; imprecise and can be spoofed
A. Something you have (USB security key)
B. Something you are (biometrics)
C. Something you have (software token)
D. Somewhere you are (GPS location)