The other three choices cannot stop unsuccessful authentication attempts. For example, if an adversary can repeatedly submit fake biometric data hoping for an exact match, it creates a security breach without a session lock. In addition, rejecting exact matches creates ill will with the genuine user.
123. In the single sign-on technology, timestamps thwart which of the following?
a. Man-in-the-middle attack
b. Replay attack
c. Social engineering attack
d. Phishing attack
124. Which of the following correctly represents the flow in the identity and authentication process involved in the electronic authentication?
a. Claimant⇒Authentication Protocol⇒Verifier
b. Claimant⇒Authenticator⇒Verifier
c. Verifier⇒Claimant⇒Relying Party
d. Claimant⇒Verifier⇒Relying Party
The other three choices are incorrect as follows:
The flow of authentication process involving Claimant⇒Authentication Protocol⇒Verifier: The authentication process establishes the identity of the claimant to the verifier with a certain degree of assurance. It is implemented through an authentication protocol message exchange, as well as management mechanisms at each end that further constrain or secure the authentication activity. One or more of the messages of the authentication protocol may need to be carried on a protected channel.
The flow of tokens and credentials involving Claimant⇒Authenticator⇒Verifier: Tokens generally are something the claimant possesses and controls that may be used to authenticate the claimant’s identity. In E-authentication, the claimant authenticates to a system or application over a network by proving that he has possession of a token. The token produces an output called an authenticator and this output is used in the authentication process to prove that the claimant possesses and controls the token.
The flow of assertions involving Verifier⇒Claimant⇒Relying Party: Assertions are statements from a verifier to a relying party that contain information about a subscriber (claimant). Assertions are used when the relying party and the verifier are not collocated (e.g., they are connected through a shared network). The relying party uses the information in the assertion to identify the claimant and make authorization decisions about his access to resources controlled by the relying party.
125. Which of the following authentication techniques is appropriate for accessing nonsensitive IT assets with multiple uses of the same authentication factor?
a. Single-factor authentication
b. Two-factor authentication
c. Three-factor authentication
d. Multifactor authentication