Test and reinforce your understanding of authentication versus authorization, sessions versus tokens, role-based access, permission checks, and common pitfalls in identity management. This quiz covers all the essential concepts and practical scenarios relevant to secure application design.
Which process verifies the identity of a user before allowing access to a system?
Explanation: Authentication is the process that confirms who a user is, typically by checking credentials like passwords or biometrics. Authorization, on the other hand, determines what an authenticated user is allowed to do. Automation relates to performing tasks without manual intervention, and auditing refers to reviewing actions or changes. Only authentication directly addresses identity verification.
If a user can view their account information but cannot edit it, which concept is being applied?
Explanation: Authorization controls what an authenticated user can and cannot do, such as restricting editing rights. Authentication merely checks identity, while automation and announcement are unrelated jargon intended to distract. This scenario specifically refers to limiting actions post-authentication.
What is a key difference between session-based and token-based authentication schemes?
Explanation: Session-based schemes keep session data on the server and track users via session IDs, while tokens (like JWTs) are typically stored and managed client-side. Tokens do not store passwords and are not inherently tied to frequent logins. Session authentication is not exclusive to mobile apps; it is widely used on the web, while the distractors describe incorrect characteristics.
During a login process, which comes first: authentication or authorization?
Explanation: Authentication always precedes authorization; you need to verify who the user is before checking what they are allowed to access. Authorization only occurs once the user’s identity has been confirmed. Saying both happen together or that neither is required is incorrect and ignores the logical sequence.
A bank system allows tellers to view accounts and managers to approve loans. What is being used to enforce these differences?
Explanation: Role-based access control (RBAC) assigns permissions based on job roles, giving different rights to tellers and managers. Session timeouts and token expiration relate to session management, not access decisions. Client-side caching helps performance, not access enforcement.
Which process checks if a user is allowed to delete a file after logging in?
Explanation: A permission check specifically evaluates whether an authenticated user has rights to perform an action like deleting a file. Two-factor authentication adds a security step to logging in but doesn't manage specific permissions. Token refresh and session creation manage authentication, not granular access control.
What is a common authorization mistake in web apps?
Explanation: It's a common pitfall to only check for authentication and forget to enforce authorization, potentially exposing unauthorized data or actions. Requiring strong passwords and enforcing SSL are good security practices, and supporting multiple login methods often enhances usability, not representing pitfalls in authorization.
What can happen if session expiration is not properly implemented?
Explanation: Without timely session expiration, old sessions may stay valid, increasing the risk of unauthorized use if someone else gains access. It does not enhance security or permission checks. Saying users can never log in is incorrect; the real threat is prolonged session life and security exposure.
Why is it risky to store access tokens in browser local storage?
Explanation: Tokens in local storage are susceptible to theft if predators exploit XSS vulnerabilities. Tokens being encoded or stored has no bearing on this risk, and local storage does not automatically delete data. Tokens themselves do not run permission or role checks; they simply carry information.
What does it mean when token-based authentication is called 'stateless'?
Explanation: Stateless token-based systems do not hold user session details on the server, relying instead on tokens for information. Storing all history, encrypting with state codes, or asking for a state name is irrelevant to the meaning of 'stateless' in this context.
A user tries to update an admin-only resource but lacks proper rights. The system denies the request. Which process prevented the action?
Explanation: Authorization determines if the user has the necessary rights for sensitive actions like updating admin resources. Authentication would only ensure the user is logged in, not if they have admin privileges. Anonymization and allocation are unrelated to access control checks.
Which is a misconception about sessions and tokens?
Explanation: It's incorrect to assume tokens are always more secure; both methods have strengths and weaknesses depending on implementation. Sessions do usually live on the server, tokens can carry user-related data, and sessions can expire. The distractors are all examples of correct, not mistaken, beliefs about sessions or tokens.
How does a role differ from a permission in access control?
Explanation: Roles group multiple permissions to make management easier, while permissions are defined actions a user can perform. Permissions are not job titles, nor are either restricted by session or token usage. Permissions are used for more than just logging in.
What is the principle of 'least privilege'?
Explanation: The least privilege principle restricts users’ access to only what’s required, reducing security risks. Granting everyone the same access, not encrypting tokens, and instant session expiry all misrepresent the principle or have no connection to privilege management.
Why should explicit permission checks be used in web APIs?
Explanation: Explicit permission checks verify each action is authorized, not just that the user is logged in, thus improving security. Implicit checks are less reliable, hiding endpoints is not sufficient, and auditing avoidance is detrimental. Only option A reflects the right security practice.