Test your understanding of authentication vs authorization, session management, token basics, and OAuth2 concepts with this easy-level quiz. Strengthen your knowledge on core security terminology and practices essential for secure systems.
Which statement best describes the difference between authentication (AuthN) and authorization (AuthZ)?
Explanation: Authentication is the process of verifying who a user is, while authorization defines what resources a user can access after their identity is confirmed. The second option incorrectly reverses the definitions of the terms. The third option is wrong because authentication and authorization are distinct concepts. The fourth option confuses the processes involved and incorrectly assigns tasks to each.
If an employee logs into a system and tries to view payroll data but is denied because of insufficient privileges, what process is being enforced?
Explanation: Authorization involves controlling access to resources, such as determining who can view payroll data. Authentication occurs prior when the employee logs in. Audit logging records actions, not permissions. Password reset changes the authentication credential rather than controlling access.
Why does a web application create a user session after successful login?
Explanation: Sessions keep track of authenticated users so they do not need to re-authenticate with every request. Sessions are not meant for saving permanent user preferences or for file exchange. The last option is incorrect; security best practices do not support bypassing login for all users.
What is the primary role of an access token in modern web applications?
Explanation: Access tokens are used to authorize users to access particular resources once they have authenticated. They are not used for encrypting passwords, storing personal data, or as content for web pages. Their main function is controlling resource access.
In OAuth2 terminology, who is the 'resource owner'?
Explanation: The resource owner in OAuth2 is the user who controls the data or resources and can grant access. The server storing files is called the resource server, not the owner. The requesting application is known as the client, and the database administrator manages the database rather than owning user resources.
After authenticating successfully, a student cannot access faculty-only documents. This is an example of what security concept?
Explanation: Authorization restricts actions or data based on user roles, such as denying students access to faculty documents. Authentication only verifies the student's identity. Malware prevention and session hijacking are unrelated to access control.
Which of the following is an example of an authentication factor?
Explanation: A password is a widely used authentication factor proving a user's identity. Firewall rules and IP address lists are methods of controlling access but do not authenticate identity. Reading history is a user data record, not an authentication factor.
Why do access tokens usually have an expiration time set?
Explanation: Setting an expiration for tokens reduces risk if they are stolen or misused. Short-lived tokens restrict the window for unauthorized access. Expiry does not boost speed, nor is it related to the storage of user roles. Tokens should never be shared indefinitely; that's poor security.
Where is a session identifier typically stored in a traditional web application?
Explanation: Session identifiers are usually kept in cookies so the browser can send them with each request. Storing IDs in images, on USB devices, or spreadsheets is not standard practice for session management.
Within the OAuth2 framework, what is the primary responsibility of the 'client'?
Explanation: The client in OAuth2 is the application asking for permission to access resources. It does not manage passwords, issue tokens, or act as the resource owner. Each of those other functions belongs to a different OAuth2 role.
A system checks if a logged-in user is part of the 'admin' group before allowing access to settings. What is this checking process called?
Explanation: Checking group membership before permitting access aligns with authorization, where role-based access is enforced. Authentication would confirm identity, while encryption and rate limiting are unrelated to group access.
When a web client sends a 'Bearer token' in the Authorization header, what is it trying to do?
Explanation: Including a Bearer token shows the client is authorized for a resource. It is not used for password resets, encryption, or user registration tasks. Bearer tokens are evidence of access rights rather than authentication or transmission security.
What is the main purpose of a refresh token in OAuth2?
Explanation: A refresh token allows the application to get a new access token after the previous one expires, avoiding repeated user logins. It is not used for account deletion, email validation, or storing user roles.
Which statement compares access tokens to passwords correctly?
Explanation: Tokens usually have a short lifetime and are used for accessing resources, whereas passwords authenticate users during login. Passwords are for authentication, and tokens for authorization, not the other way around. Embedding passwords in tokens is insecure and not practiced.
Why does a secure website log a user out after a period of inactivity?
Explanation: A timeout after inactivity helps prevent unauthorized actions when the user is absent. It is not aimed at performance, does not replace the need for secure connections, and is unrelated to clearing cache.
During OAuth2 authorization, why is the user asked for consent when an app requests access to certain resources?
Explanation: User consent is core to OAuth2, letting users actively permit access to chosen data. Changing passwords, lowering fees, and encrypting databases are not objectives of the consent process during OAuth2.