A security architect has been assigned to a new digital transformation program. The objectives are to provide better capabilities to customers and reduce costs.
The program has highlighted the following requirements:
1. Long-lived sessions are required, as users do not log in very often.
2. The solution has multiple SPs, which include mobile and web applications.
3. A centralized IdP is utilized for all customer digital channels.
4. The applications provide different functionality types such as forums and customer portals.
5. The user experience needs to be the same across both mobile and web-based applications.
Which of the following would BEST improve security while meeting these requirements?
A. Social login to IdP, securely store the session cookies, and implement one-time passwords sent to the mobile device
B. Certificate-based authentication to IdP, securely store access tokens, and implement secure push notifications.
C. Username and password authentication to IdP, securely store refresh tokens, and implement context-aware authentication.
D. Username and password authentication to SP, securely store Java web tokens, and implement SMS OTPs.
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
I think the answer is C.
social login is not very secure, certificate-based would not reduce costs, and there are multiple SPs so SP login wouldn’t work either. Also refresh tokens are for long-term access (long-lived sessions).
The original purpose of refresh tokens is to obtain long-term access to an API on behalf of the user. In such long-term scenarios, the user is not always present. Hence, the refresh token allows an application to autonomously obtain a new access token from the security token service, without user intervention.
A. Social login to IdP, securely store the session cookies, and implement one-time passwords sent to the mobile device
The IdP (Identity provider) is the service you use to authenticate users (example: Facebook/Google/LinkedIn). SP (service providers) are the services you are going to use, authenticated by IdP.
The idea here is to make this social login the IdP. Think of an Company’s website using Google to login within their website and using forums or customer portal, this would be the picture here.
Option B (certificate based) would not be viable, requiring customers to have certificates to login would not happen in real life.
B
>A – Social Login to IdP makes the social site your IdP.
> C – adds context aware authentication but only UN/PW is used at IdP
> D – UN/PW authenticated to SP —- we want to login to IdP
B uses certificate auth with IdP (secure), securely stores tokens and uses secure push notification (also secure)