nerdexam
(ISC)2

CISSP · Question #491

When should an application invoke re-authentication in addition to initial user authentication?

The correct answer is C. After a period of inactivity. An application should invoke re-authentication in addition to initial user authentication after a period of inactivity. Re-authentication is a process of verifying the identity or attributes of a user, device, or process that has already been authenticated, but needs to renew or

Submitted by khalil_dz· Mar 5, 2026Identity and Access Management

Question

When should an application invoke re-authentication in addition to initial user authentication?

Options

  • AAt the application sign-off
  • BPeriodically during a session
  • CAfter a period of inactivity
  • DFor each business process

How the community answered

(54 responses)
  • A
    2% (1)
  • B
    4% (2)
  • C
    87% (47)
  • D
    7% (4)

Explanation

An application should invoke re-authentication in addition to initial user authentication after a period of inactivity. Re-authentication is a process of verifying the identity or attributes of a user, device, or process that has already been authenticated, but needs to renew or confirm the authentication for a specific reason or purpose. Re-authentication can enhance the security and accountability of the application, by preventing unauthorized access or misuse of the application by someone other than the authenticated user, or by the authenticated user for an unintended or inappropriate purpose. Re-authentication can also help to comply with the security policies or regulations that mandate a certain frequency or duration of authentication. An application should invoke re-authentication after a period of inactivity, meaning that the user has not performed any action or activity on the application for a predefined amount of time, such as 15 minutes or 30 minutes. This can prevent the application from being accessed or manipulated by someone who gains physical or logical access to the user's device or session, while the user is away or distracted. An application should not invoke re-authentication at the application sign-off, periodically during a session, or for each business process, as these may not be necessary or effective for security, and may cause inconvenience or frustration to the user.

Topics

#Re-authentication#Session management#Inactivity timeout#Application security

Community Discussion

No community discussion yet for this question.

Full CISSP Practice