A client is authenticating to an identity provider (IdP). Which of the following is the least feasible authenticator or authentication mechanism?
A. A password transmitted in clear text
B. A timestamp encrypted by the hash of the password
C. A nonce from the IdP encrypted by the subject’s private key
D. An attribute sent over TLS/SSL that uniquely identifies the subject

A software development team is concerned with the integrity of the access token received from the web site after users logging in. Which of the following is least likely considered?
A. Is the access token altered?
B. Is the web site the genuine origin of the access token?
C. Is the web site signs the access token?
D. Is the access token in transit lost?

Alice is a newly recruited employee. The Human Resource department is conducting her identity proofing and enrollment process. Which of the following should be conducted first?
A. Validation
B. Resolution
C. Verification
D. Authentication

A client submits a user’s identity in the clear text alone with a timestamp encrypted by the hash of the user’s password to the Kerberos Authentication Server. The Kerberos message is encapsulated as KRB_AS_REQ. Which of the following best describes the purpose of the process?
A. Identification
B. Authentication
C. Pre-authentication
D. The TGT (Ticket-granting ticket)

A session is a temporary logical connection between two end-user application processes for message exchange. Which of the following statements about the session is not true?
A. The session layer in the ISO OSI model maps to the application layer in TCP/IP.
B. The establishment of a session is independent of underlying transports.
C. The RESTful-style architecture prescribes how a session is managed.
D. A session can maintain state information even if the transport is connectionless.

SAML and OIDC are commonly found in federated authentication. Which of the following statements about federated authentication is not true?
A. SAML assertions can be viewed as equivalent to OIDC claims.
B. The access token of a subject is trusted and passed across security domains.
C. A user registers only one account in the federated domains to fulfill single sign-on (SSO).
D. The relying party refers to the service provider in SAML or the OAuth2 client using OIDC.

Mandatory Access Control (MAC) and Discretionary Access Control (DAC) are well-known authorization mechanisms introduced in the Trusted Computer System Evaluation Criteria (TCSEC). Which of the following statements about the authorization mechanisms is not true?
A. MAC can exist alone without DAC
B. Privileges granted by the data owner can be reauthorized to others in DAC.
C. A subject with mere security clearance gets no access to objects.
D. MAC mediates the data flow between classification levels.

Which of the following is least likely done by the data owner?
A. Identify, locate, and take an inventory of data
B. Evaluate the business value of data
C. Determine the protection mechanisms of data
D. Be accountable for the data breach

You are conducting the risk assessment and have identified several risks. Which of the following best describes the risk in your risk register?
A. Natural hazards like earthquakes, floods, etc.
B. Script kiddies using open source tools to play SQL injections against web sites
C. Employees carelessly attending training may result in frequent violations of security policy
D. Human life losses

Which of the following is least likely used to authenticate devices to prevent unauthorized ones from connecting to your wireless network?
A. 802.1X
B. Whitelist
C. Kerberos
D. Extensible Authentication Protocol (EAP)