Effective CISSP Questions

A bank is evaluating two models of one-time password tokens for multi-factor authentication. Both models have a button, an LCD, volatile memory, and a battery, but no keypad. Model A uses a non-replaceable battery, while the battery of Model B must be replaced in three minutes if the low battery. Which of the following token types is most likely implemented by Model A? (Source: Wentz QOTD)
A. Static password token
B. Synchronous dynamic password token
C. Asynchronous password token
D. Challenge-response token

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Synchronous dynamic password token.

(Both B. Synchronous dynamic password token and C. Asynchronous password token may fit the description of the question, as it depends on product implementation. The suggested answer is the author’s best guess.)

  • An LCD implies the token generates one-time passwords dynamically, so static password token can be ruled out.
  • A keypad implies the token can support PIN code protection and challenge/response operations, so the challenge-response token can be eliminated.
  • Volatile memory implies no counter or no counter value is stored. Even though it depends on product implementation, the question author assumes a counter needs non-volatile memory when writing this question. This question is designed as a trigger to think about the difference between HOTP and TOTP.
  • A battery that must be replaced in three minutes implies a clock is maintained and no clock drifts.

Security Token

A security token or token, also known as an authenticator, is something you have to authenticate yourself to an authentication server. A token can be a physical or technical/logical container. It can be a badge, card, dongle, a piece of structural data, etc., you name it. What matters is the secret or data stored in the token.

  • An access token (SAML) or ID token (OpenID/OIDC) is a piece of structural data (XML in SAML, JSON in OIDC) describing facts (attributes) about a subject, also known as assertions. It is typically issued after authentication.
  • A one-time password (OTP) token is typically implemented as a physical device that generates passwords dynamically. It adds another authentication factor, something you have because the user knows nothing about the dynamically generated password but the one that he or she configured.

Subscriber authentication is performed by verifying that the claimant
controls one or more authenticators (called tokens in earlier versions of SP 800-63) associated with a given subscriber.

Source: NIST SP 800-63B

One-time password (OTP) Token

An OTP token generates a password dynamically for one-time use based on either time (synchronous) or sequence/counter (asynchronous). A clock reports the time to the OTP generator while the counter is stored in non-volatile memory (e.g., ) for the generation of the next password. Both the time-based OTP (TOTP) and counter-based OTP (HOTP) generators use the HMAC-SHA1 algorithm.

  • HOTP(K,C) = Truncate(HMAC-SHA-1(K,C)), K for Key and C for Counter
  • TOTP(K,T) = Truncate(HMAC-SHA-1(K,T)), K for Key and T for Time

OTP Token Products



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

1 thought on “CISSP PRACTICE QUESTIONS – 20200703


Leave a Reply