nerdexam
ExamsCAS-003Questions#584
CompTIA

CAS-003 · Question #584

CAS-003 Question #584: Real Exam Question with Answer & Explanation

The correct answer is C: Software-based TOTP. Software-based TOTP generates time-limited, one-time codes that expire within roughly 30 seconds, making credentials stolen by a phishing portal invalid by the time or immediately after they are replayed.

Question

A systems analyst is concerned that the current authentication system may not provide the appropriate level of security. The company has integrated WAYF within its federation system and implemented a mandatory two-step authentication system. Some accounts are still becoming compromised via phishing attacks that redirect users to a fake portal, which is automatically collecting and replaying the stolen credentials. Which of the following is a technical solution that would BEST reduce the risk of similar compromises?

Options

  • ASecurity awareness training
  • BPush-based authentication
  • CSoftware-based TOTP
  • DOAuth tokens
  • EShibboleth

Explanation

Software-based TOTP generates time-limited, one-time codes that expire within roughly 30 seconds, making credentials stolen by a phishing portal invalid by the time or immediately after they are replayed.

Common mistakes.

  • A. Security awareness training is not a technical solution and does not address the automated credential-relay mechanism at the protocol level.
  • B. Push-based authentication is vulnerable to MFA fatigue attacks where users inadvertently approve fraudulent prompts, and does not inherently block real-time relay of credentials through a phishing proxy.
  • D. OAuth tokens are an authorization delegation framework used after authentication is established, and do not protect against theft and replay of the initial authentication credentials.
  • E. Shibboleth is a federated identity provider already implied by the WAYF integration in the scenario; its presence alone does not prevent phishing-based credential capture and replay.

Concept tested. TOTP as defense against credential replay phishing

Reference. https://datatracker.ietf.org/doc/html/rfc6238

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice