Domain 5 – Section A Review: Identity and Authentication
This section integrates:
- Physical and Logical Access Control Categories (preventive, detective, corrective, compensating, deterrent, directive, recovery)
- Biometric Accuracy Metrics (FAR, FRR, CER) and Physical Security Mechanisms
- Authentication Strategy Design (MFA, SSO, Kerberos, SAML, OAuth/OIDC, adaptive authentication)
- Session Management and Credential Lifecycle
- Federated Identity (IdP/SP trust, trust models, partner governance, onboarding/offboarding)
Domain 5 questions expect you to make risk-based decisions about authentication strength, select the right federation architecture for a given scenario, and identify governance gaps in identity management. The answers that win are the ones that match security controls to the risk profile — not the ones that apply maximum security everywhere.
1. Match Authentication Strength to Risk
Not every resource needs the same authentication. A public knowledge base and an administrative console for financial systems have wildly different risk profiles. Authentication design starts with the question: what is the damage if an unauthorized person gains access?
- Low-risk resources → standard authentication, possibly single factor
- Medium-risk resources → MFA with standard factors
- High-risk resources → strong MFA (hardware tokens, biometrics), adaptive authentication, just-in-time access
2. Federation Is a Trust Decision
When you federate with another organization, you are trusting their authentication practices. The strength of your security now depends on the weakest IdP in your federation chain. Due diligence before trust establishment and governance throughout the relationship are not optional — they are the foundation.
3. Layered Controls Assume Individual Failure
Defense in depth means each layer operates independently. When the exam presents a single-control scenario, the answer almost always adds a different control category. Preventive controls need detective backup. Physical controls need logical reinforcement. No control stands alone.
Section A Decision Pattern
When facing a Domain 5 Section A question:
- Identify the resource being protected and its risk level
- Match the authentication strength to that risk level
- Check for control category gaps — is there a missing detective, preventive, or compensating control?
- In federation scenarios, trace the trust chain — who authenticates, who authorizes, and what happens if the IdP is compromised?
- Look for governance gaps — orphaned access, missing reviews, absent offboarding procedures
Section A – Practice Questions
Question 1
A hospital deploys fingerprint scanners at the entrance to its pharmacy where controlled substances are stored. Pharmacists report that the scanners reject them frequently during busy shifts, requiring multiple attempts. Some pharmacists have started propping the door open to avoid delays.
What is the BEST response?
A. Replace the fingerprint scanners with a PIN-only system to eliminate friction
B. Discipline pharmacists who prop the door open for violating security policy
C. Tune the biometric sensitivity to reduce false rejections while maintaining acceptable security, and add a camera to detect propped doors
D. Remove biometric authentication and rely on badge access since it is faster
Answer & reasoning
Correct: C
The high FRR is causing users to circumvent the control entirely, which is worse than reducing sensitivity. Tuning the biometric to lower FRR (accepting slightly more risk of false acceptance) keeps the control functional. Adding a camera provides a detective control that identifies when doors are propped open. Disciplining users (B) treats the symptom without fixing the cause. Removing biometrics (A, D) downgrades security for a controlled substance area.
Question 2
A financial services company requires all employees to authenticate through corporate SSO using SAML. A new mobile trading application needs to access the company’s market data API on behalf of authenticated traders. The development team asks which protocol to use for the API integration.
What is the correct recommendation?
A. Extend the SAML implementation to cover API access
B. Use OAuth 2.0 with the authorization code flow for the mobile app to obtain access tokens for the API
C. Have the mobile app store each trader’s credentials and authenticate directly to the API
D. Use Kerberos tickets for API authentication since the company already uses Active Directory
Answer & reasoning
Correct: B
OAuth 2.0 is designed for delegated API authorization. The authorization code flow is appropriate for mobile applications because it obtains tokens without exposing credentials and supports PKCE for additional security. SAML (A) is designed for web browser SSO, not API access. Storing credentials in the app (C) violates secure credential management principles. Kerberos (D) is not suited for mobile API authentication.
Question 3
An organization’s security team discovers that a contractor who left the project three months ago still has active access to the development environment through a federated IdP. The contractor’s company confirms the user account was disabled on their end one month after the project ended.
What TWO failures occurred?
A. The contractor’s company failed to disable the account promptly, and the organization had no access review process for federated users
B. SAML assertions were not properly signed, allowing the contractor to forge access
C. The development environment did not require authentication
D. The contractor memorized another user’s credentials and used those instead
Answer & reasoning
Correct: A
Two governance failures compounded: the partner took two months to disable the account (the project ended three months ago, the account was disabled one month ago), and the organization had no independent process to review or revoke federated access when the project ended. Federation governance requires both timely partner action and independent organizational access reviews. Relying solely on the partner to manage access is insufficient.
Question 4
A company deploys adaptive authentication for its customer-facing banking portal. The system assigns risk scores based on device fingerprint, geolocation, time of access, and transaction type. A customer attempts to initiate a wire transfer of $50,000 from a new device in a country they have never accessed the portal from before.
What should the adaptive system do?
A. Allow the transaction since the customer provided correct username and password
B. Block the transaction permanently and require the customer to visit a branch
C. Require step-up authentication with an additional factor before allowing the high-value transaction to proceed
D. Allow the transaction but flag it for review within 30 days
Answer & reasoning
Correct: C
Multiple risk signals (new device, new country, high-value transaction) elevate the risk score. The proportional response is step-up authentication — requiring an additional factor to confirm the customer’s identity before processing the transaction. Allowing with just a password (A) ignores the risk signals. Permanent blocking (B) is excessive for a potentially legitimate customer. Flagging for later review (D) allows potential fraud to complete.
Question 5
An organization’s data center uses badge readers at the building entrance, a security vestibule (mantrap) at the server room, and biometric scanners at individual rack cages. A penetration tester gains access by tailgating an employee through the building entrance and is stopped at the server room vestibule.
Which access control principle prevented deeper penetration?
A. Separation of duties
B. Defense in depth — the layered controls caught a failure at the first layer
C. Least privilege
D. Need to know
Answer & reasoning
Correct: B
Defense in depth means each security layer operates independently. The badge reader at the building entrance was bypassed through tailgating, but the vestibule at the server room required individual authentication and prevented the penetration tester from proceeding. Without the second layer, bypassing the first would have granted full access. This is the core purpose of layered controls — each layer assumes the previous one might fail.
Question 6
A technology company uses Kerberos-based SSO for its on-premises applications. The IT team notices that Kerberos authentication is failing intermittently across multiple systems. Investigation reveals that the time on several domain controllers has drifted by more than five minutes from the Kerberos KDC.
Why does time drift cause Kerberos failures?
A. Kerberos tickets contain timestamps to prevent replay attacks — if the time difference exceeds the allowed skew, tickets are rejected as potentially replayed
B. Kerberos uses time-based one-time passwords that become invalid after the drift
C. The KDC deletes all tickets when it detects time synchronization issues
D. Kerberos requires exact time matching to the millisecond across all systems
Answer & reasoning
Correct: A
Kerberos uses timestamps in tickets as a replay prevention mechanism. If the time difference between the client and the KDC exceeds the configured maximum skew (typically 5 minutes), the KDC rejects the ticket as potentially replayed. This is a security feature, not a bug. The solution is to ensure time synchronization (NTP) across all domain controllers and clients, not to increase the allowed skew.
Question 7
An enterprise is evaluating federation trust models for an industry consortium of 20 companies that need to share research data. Each company operates its own identity infrastructure. The consortium does not want any single member to have a privileged position in the trust architecture.
Which trust model is MOST appropriate?
A. Cross-certification between all 20 members
B. Designate the founding member as the central identity provider
C. Establish an independent bridge CA that each member trusts equally
D. Require all members to migrate to a single shared identity platform
Answer & reasoning
Correct: C
A bridge CA provides equal trust relationships without privileging any single member. Each organization establishes one trust relationship with the independent bridge rather than 19 bilateral relationships (cross-certification would require 190 for 20 members). Designating one member as central (B) conflicts with the requirement that no member have a privileged position. A shared platform (D) is impractical for 20 organizations with existing infrastructure.
Question 8
A company’s security policy requires MFA for all remote access. The IT team implements a password plus a security question for VPN login. During a compliance audit, the auditor flags this as non-compliant with the MFA policy.
Why is the auditor correct?
A. Security questions are not an approved authentication method under any standard
B. A password and a security question are both something you know — this is single-factor authentication with two steps, not multi-factor
C. MFA requires at least three factors, not two
D. VPN connections require biometric authentication specifically
Answer & reasoning
Correct: B
Multi-factor authentication requires factors from different categories: something you know, something you have, something you are. Both a password and a security question fall into the “something you know” category. Two knowledge factors is multi-step single-factor authentication, which does not satisfy an MFA requirement. True MFA would pair the password with a token (have) or biometric (are).
Question 9
A SaaS provider receives SAML assertions from 50 enterprise customers. The provider discovers that one customer’s IdP is using an expired signing certificate. Assertions from this customer are still being accepted because the SaaS platform’s SAML validation was configured to skip certificate expiration checks.
What is the risk?
A. Expired certificates cannot encrypt SAML assertions, exposing user data in transit
B. Without valid certificate validation, the SaaS provider cannot verify that assertions genuinely come from the trusted IdP — a forged assertion could be accepted
C. The expired certificate will cause all users from that customer to be logged out immediately
D. Certificate expiration only affects performance, not security
Answer & reasoning
Correct: B
The digital signature on a SAML assertion proves the assertion came from the trusted IdP and was not tampered with. Skipping certificate validation weakens this verification — if the private key associated with the expired certificate were compromised, or if an attacker presented a forged assertion with a different certificate, the SaaS platform would not detect it. Certificate validation is a core trust verification step in SAML federation.
Question 10
An organization grants database administrators permanent root access to production databases because they need it for maintenance tasks. A security review reveals that administrators only perform maintenance during monthly change windows, but their elevated access is active 24/7. During off-hours, an administrator’s credentials are compromised, and the attacker exfiltrates customer records.
What control would have MOST effectively reduced this risk?
A. Require administrators to use longer passwords for production database access
B. Implement just-in-time access that grants elevated privileges only during approved change windows and automatically revokes them afterward
C. Monitor administrator activity and review logs monthly
D. Restrict database access to the corporate network only
Answer & reasoning
Correct: B
Just-in-time (JIT) access directly addresses the risk of standing privileges. If elevated access is only active during approved change windows, the off-hours credential compromise would have granted only standard user access, not root. JIT reduces the attack surface from 24/7 to the specific hours when elevated access is genuinely needed. Longer passwords (A) do not address the standing privilege problem. Log review (C) is detective, not preventive. Network restrictions (D) help but do not eliminate the risk of compromised credentials used from the corporate network.