nerdexam
ExamsCAS-003Questions#431
CompTIA

CAS-003 · Question #431

CAS-003 Question #431: Real Exam Question with Answer & Explanation

The correct answer is B: Create-based authentication to IdP, securely store access tokens, and implement secure push. The requirements describe a classic OAuth 2.0 / OIDC federation architecture: a centralized IdP, multiple service providers (SPs), and consistent experience across mobile and web. Answer B (claims-based or certificate-based authentication to the IdP, securely stored access tokens

Question

A security architect has been assigned to a new digital transformation program. The objectives are to provide better capabilities to customers and reduce costs. The program has highlighted the following requirements: 1. Long-lived sessions are required, as users do not log in very often. 2. The solution has multiple SPs, which include mobile and web applications. 3. A centralized IdP is utilized for all customer digital channels. 4. The applications provide different functionality types such as forums and customer portals. 5. The user experience needs to be the same across both mobile and web-based applications. Which of the following would BEST improve security while meeting these requirements?

Options

  • ASocial login to IdP, securely store the session cookies, and implement one-time passwords sent
  • BCreate-based authentication to IdP, securely store access tokens, and implement secure push
  • CUsername and password authentication to IdP, securely store refresh tokens, and implement
  • DUsername and password authentication to SP, securely store Java web tokens, and implement

Explanation

The requirements describe a classic OAuth 2.0 / OIDC federation architecture: a centralized IdP, multiple service providers (SPs), and consistent experience across mobile and web. Answer B (claims-based or certificate-based authentication to the IdP, securely stored access tokens, and secure push notifications for MFA) best fits this model. Access tokens are the correct OAuth artifact for authorizing SP access, and secure push (e.g., authenticator app push) provides strong MFA without friction for long-lived sessions. Answer D is wrong because authentication should happen at the IdP, not the SP - that defeats federation. Answer C using refresh tokens alone lacks MFA. Answer A's one-time passwords via SMS are weaker and more disruptive for infrequent logins.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice