Explanation about a question

SeekBytesSeekBytes Member Posts: 143
I am using some online flashcards to get some questions on the top of the ones I have with my actual books.
I found this particular question, but I do not agree with it. Do you mind to explain to me why answer "A" is correct and not "B"?

That's the actual question:

A technician wants to implement a dual factor authentication system that will enable the organization to authorize access to sensitive systems on a need-to-know basis. Which of the following should be implemented during the authorization stage?
A. Biometrics
B. Mandatory access control
C. Single sign-on
D. Role-based access control

I think that Biometric it's physical control that deals with authentication and not authorization, so I do not understand why it should be the correct answer.

Kind Regards.

Comments

  • devilbonesdevilbones Member Posts: 318 ■■■■□□□□□□
    Biometrics are the only mulit-factor authorization in this selection (something you have, something you are, something you know). Its kinda tricky question if you ask me.
  • danny069danny069 Member Posts: 1,025 ■■■■□□□□□□
    A. Biometrics - Something you are, something you have (and only you have in this case) thus makes it dual authentication.
    Mandatory and role based are just types of access control implemented by a group of people to tighten security.
    Single Sign on is something you have if there is a token, for example an RSA ID, or something you know, but not dual because it is not stated if there is a token involved.
    Out of those four 3 are vague and biometrics is not which helps in this case.
    I am a Jack of all trades, Master of None
  • $bvb379$bvb379 Member Posts: 155
    danny069 wrote: »
    A. Biometrics - Something you are, something you have (and only you have in this case) thus makes it dual authentication.
    Mandatory and role based are just types of access control implemented by a group of people to tighten security.
    Single Sign on is something you have if there is a token, for example an RSA ID, or something you know, but not dual because it is not stated if there is a token involved.
    Out of those four 3 are vague and biometrics is not which helps in this case.

    Agreed, they are trying to trick you with the second half of the first sentence, giving specific wording from a MAC but what they really wanted was in the first half of the first sentence. Weed through the BS on the questions.
  • TallDude7TallDude7 Member Posts: 61 ■■□□□□□□□□
    look for key words in the questions. they key word is "dual factor". so that means more than one authentication method
  • SeekBytesSeekBytes Member Posts: 143
    I understand, but the question ask, what control to implement during the authorization stage. As far as I know, a Biometric control is used to verify an identity, therefore it's used for authenticating users and not for authorizing them.

    That's why I am struggling a bit with those questions. I found the exams very fluffy at the end.

    Kind Regards
  • OctalDumpOctalDump Member Posts: 1,722
    It's a bad question, a stupid question really. I'd go so far as to say the person who wrote the question doesn't understand these basic concepts.

    You are totally right about authentication vs authorisation.

    Dual factor authentication establishes the identity of the user, authorisation then uses that identity. It doesn't make much sense to say that authorisation is based on "biometrics". Authorisation is based on rules, access controls etc, applied to an identity - e.g this identity has access to these resources or this resource can be accessed by these identities. Authorisation does not need to establish an identity therefore it does not need biometrics.

    "Need to know" access can be accomplished via whatever access controls you like, although stricter access controls usually means mandatory access controls. Single sign on may or may not be used.

    Strictly speaking none of the answers is correct. A is probably the what they want based entirely on the "dual factor authentication", but dual factor could be achieved without using biometrics.

    I suspect you understand this material better than the person writing the questions. The really sucky part is that sometimes you get questions this bad on the actual tests. Luckily not too many, though, and the pass mark is not 100%.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • duncanjdduncanjd Member Posts: 1 ■□□□□□□□□□
    It looks like whoever wrote the question is taking lessons from Microsoft. They gave you more information than you needed in the question to make it harder to see what was being asked. If the question had just said
    A technician wants to implement a dual factor authentication system
    what would your answer have been? I see where the during the authorization stage would cause confusion though. My thought would be they were looking at Authentication and Authorization occurring in a finite period of time so as to appear as one step, while it actually occurs as two steps.
  • 636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    SeekBytes wrote: »

    That's the actual question:

    A technician wants to implement a dual factor authentication system that will enable the organization to authorize access to sensitive systems on a need-to-know basis. Which of the following should be implemented during the authorization stage?
    A. Biometrics
    B. Mandatory access control
    C. Single sign-on
    D. Role-based access control

    (modifying my original post since I'm re-reading this question without the other comments biasing me)

    Biometrics handles authentication. RBAC is the answer as that is the closest thing for authorization.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    The question is laughable at best...sigh to whoever made it.

    SSO is the process of using one identity across multiple systems, databases, etc...not a way of authenticating somebody for AAA.

    MAC and DAC are permission types so they aren't relevant to AAA.

    Biometrics is the only method that could be used towards proving an identity for AAA.

    Again the question is very poor. It would have been better to ask to pick two types for dual factor authentication. Don't get too frustrated because questions like this exist...such as life.
  • SeekBytesSeekBytes Member Posts: 143
    Thank you to all of you for being so helpful.

    I hope that my IT career will be something a bit more valuable than this type of tests. I think that those questions try to make candidate fail and not to help him to deeper understand the material in any way.

    I hope it will be last Comptia voucher I will have to spend money on.

    Kind Regards.
  • SeekBytesSeekBytes Member Posts: 143
    That's the definition from OWASP regarding MAC.

    https://www.owasp.org/index.php/Access_Control_****_Sheet#Mandatory_Access_Control_.28MAC.29

    MAC is similar to RBAC, the latter assign privileges to users (the ability to perform specific functions) while MAC based on the SC and the information label, allows or denies access to a specific resource. And the need-to-know works as an ultimate filter.

    My political party keeps saying that the answer is B ;)

    The debate is still open.

    Kind Regards.
Sign In or Register to comment.