Text preview & study summary
CompTIA Security+ - Identity and Access Management
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
?? Multiple Choice (Hard)
Which attack exploits the implicit trust in Single Sign-On by stealing a valid authentication token?
Explanation
In Active Directory environments using Kerberos, a Golden Ticket attack forges Kerberos TGTs using the KRBTGT account hash (extracted from a Domain Controller). With a Golden Ticket, attackers can impersonate any user with any privileges for up to 10 years. Mitigation: regularly rotate KRBTGT password, monitor for unusual Kerberos tickets.
Question 2
?? Multiple Choice (Medium)
What is federation in the context of identity management?
Explanation
Identity federation allows users to use credentials from one organization (identity provider) to access resources in another organization (service provider/relying party). Protocols: SAML 2.0 (enterprise federation), OpenID Connect (consumer), WS-Federation. Example: using your university credentials to access a partner organization's resources.
Question 3
?? True/False (Medium)
Time-based One-Time Passwords (TOTP) rely on a shared secret and the current time to generate authentication codes valid for about 30 seconds.
Explanation
TOTP (RFC 6238) generates a 6-digit code based on: shared secret + current Unix time (rounded to 30-second window). Both client app (Google Authenticator, Authy) and server compute the same code independently. Codes expire every 30 seconds. TOTP is a "something you have" factor (authenticator app on phone).
Question 4
?? Fill in the Blank (Easy)
The principle of [[blank1]] access ensures that users are only granted the minimum permissions necessary to perform their job functions.
Explanation
Least privilege (also called minimum necessary access) is a core security principle. Users, processes, and systems should have only the permissions required for their specific tasks. This limits the damage from compromised accounts, insider threats, and malware. Combined with need-to-know (access to information required for job), it minimizes attack surface.
Question 5
?? True/False (Hard)
Separation of duties requires that no single individual has complete control over any critical process or transaction.
Explanation
Separation of duties (SoD) prevents fraud and errors by dividing critical tasks among multiple people. Example: the person who creates vendor accounts cannot also process payments. In IT: developers cannot deploy directly to production; no single admin has both backup and restore rights. This limits insider threat risk and enforces accountability.
