Authentication & Authorization

0%
Theory
Quiz

    Iam Fundamentals

    • What is the difference between authentication, authorization, and identification?

      Junior
    • What are the core components of IAM?

      Junior
    • What is the AAA (Authentication, Authorization, Accounting/Audit) framework in security?

      Junior
    • What are the core objectives of Identity and Access Management (IAM)?

      Junior
    • What is Identity and Access Management (IAM)?

      Junior
    • Why is Identity and Access Management (IAM) essential in today's era?

      Junior
    • What are the common authentication factors (something you know, something you have, something you are)?

      Junior
    • What is a claim in the context of identity, and how does it relate to a principal or subject?

      Junior
    • What is user provisioning and de-provisioning in Identity and Access Management?

      Mid
    • What is the difference between authentication and identity management?

      Mid

    Security Principles

    • Explain the principle of least privilege. Why is it a foundational security concept?

      Junior
    • Explain the deny by default principle in authorization.

      Junior
    • Why should authorization logic never be enforced solely on the client side?

      Junior
    • What is coarse-grained vs. fine-grained authorization? Provide examples.

      Mid
    • What is separation of duties, and how does it complement the principle of least privilege?

      Mid
    • What is defense in depth, and how does it apply to authentication and authorization?

      Mid
    • What are the benefits and challenges of implementing the principle of least privilege in large organizations?

      Senior
    • Can you explain the confused deputy problem in access control?

      Senior
    • What does 'fail-secure' or 'fail-closed' mean for an access-control decision, and why is it preferred over failing open?

      Senior

    Access Control Models

    • Explain Role-Based Access Control (RBAC). What are its advantages and limitations, such as role explosion?

      Mid
    • What is the difference between role-based access control (RBAC) and attribute-based access control (ABAC), and when would you use each?

      Mid
    • How would you implement role-based access control (RBAC)?

      Mid
    • What are the different types of access control models (RBAC, ABAC, ACLs, MAC, DAC)? Explain their core principles.

      Mid
    • Explain the concept of claims-based authorization.

      Mid
    • What is the difference between discretionary (DAC) and mandatory (MAC) access control?

      Mid
    • Explain Attribute-Based Access Control (ABAC) and the roles of PDP, PEP, and PIP.

      Senior
    • What is Relationship-Based Access Control (ReBAC), such as the Google Zanzibar model, and when is it useful?

      Senior
    • What is externalized authorization with a policy engine (e.g., OPA/Rego), and what are its benefits?

      Senior
    • How do you enforce object-level or row-level authorization and tenant isolation in a multi-tenant system?

      Senior

    Password Security

    • Why do we hash passwords instead of encrypting them for storage?

      Junior
    • What is a password encoder and why is it mandatory?

      Junior
    • Explain password hashing, salting, and peppering. Why are adaptive hashing algorithms like bcrypt, scrypt, and Argon2 preferred over fast hashes like MD5 or SHA-1 for passwords?

      Mid
    • What is a work factor or cost factor in password hashing, and why is it important?

      Mid
    • Which password encoder would you use and why?

      Mid
    • What are the arguments for and against mandatory periodic password rotation policies?

      Mid
    • What is password entropy, and how does it relate to password strength requirements?

      Mid
    • What is breached-password (credential) checking, and why is it recommended over complex composition rules?

      Mid
    • Why is a timing-safe comparison important when verifying secrets or tokens?

      Senior

    Jwt & Tokens

    • What is a JSON Web Token (JWT)? Describe its structure (header, payload, signature) and the purpose of each part.

      Junior
    • What is the role of the payload in a JWT?

      Junior
    • Why should you avoid putting sensitive data in a JWT payload?

      Junior
    • How is JWT used for authentication and authorization?

      Mid
    • Discuss the security implications and trade-offs of storing JWTs on the client side, such as in HTTP-only cookies vs. local storage.

      Mid
    • What is the difference between an access token, refresh token, and ID token in the context of OAuth 2.0 and OpenID Connect?

      Mid
    • What are the standard claims in a JWT (iss, sub, aud, exp, iat, nbf, jti) and what is the purpose of each?

      Mid
    • Is a JWT encrypted or encoded? Explain the difference and its security implications.

      Mid
    • Explain the concept of token introspection and when it would be used.

      Mid
    • Explain the concept of token revocation and why it's important.

      Mid
    • How do you handle token expiration in JWT?

      Mid
    • How can you refresh a JWT token?

      Mid
    • What are the challenges of JWT revocation, and what strategies are used to mitigate them?

      Senior
    • What is the difference between symmetric and asymmetric signing algorithms in JWT?

      Senior
    • What are the security implications of using JWT?

      Senior
    • What is the difference between opaque tokens and self-contained (e.g., JWT) tokens, and when would you choose each?

      Senior
    • What is token binding, and how does it help prevent token theft and replay?

      Senior
    • What is the difference between JWS and JWE, and when would you need an encrypted JWT?

      Senior
    • How does a JWKS endpoint and public-key rotation work for validating signed tokens?

      Senior

    Oauth & Openid Connect

    • What is the main difference between OAuth 2.0 (for authorization) and OpenID Connect (for authentication)?

      Junior
    • What is user consent in OAuth, and what role does the consent screen play?

      Junior
    • Explain OAuth 2.0. What problem does it solve, and what are its core roles (resource owner, client, authorization server, resource server)?

      Mid
    • Explain OpenID Connect (OIDC). How does it build on OAuth 2.0, and what additional functionality does it provide (ID Token, UserInfo Endpoint)?

      Mid
    • What are OAuth scopes, and how do they limit the permissions granted to applications?

      Mid
    • What is the purpose of the state parameter in the OAuth authorization code flow?

      Mid
    • Why is OAuth 2.0 often misused for authentication, and what problems does that cause?

      Mid
    • What is machine-to-machine authentication, and how does the client-credentials flow support it?

      Mid
    • What is the purpose of the nonce in OpenID Connect?

      Mid
    • What is discovery in OpenID Connect, and how does the well-known configuration endpoint help clients?

      Mid
    • Describe the Authorization Code flow with PKCE in OAuth 2.0. Why is PKCE important, especially for public clients?

      Senior
    • Explain other OAuth 2.0 grant types such as Client Credentials, Device Code, Implicit, and Resource Owner Password Credentials, and discuss their use cases and why some are deprecated or discouraged.

      Senior
    • What is the difference between the front channel and back channel in OAuth flows, and why does it matter for security?

      Senior
    • What are the key changes introduced in OAuth 2.1 compared to OAuth 2.0?

      Senior
    • What is OAuth token exchange, and when would you use it?

      Senior
    • Explain the difference between delegation and impersonation, and how the on-behalf-of flow works.

      Senior

    Federated Identity & Sso

    • Explain the concept of Single Sign-On (SSO) and how protocols like SAML or OIDC facilitate it.

      Mid
    • What's the difference between JWT, OAuth, and SAML?

      Mid
    • Explain the conceptual flow of Kerberos authentication. What are its main components (KDC, AS, TGS)?

      Mid
    • What is LDAP and how is it used as an identity store, particularly with Active Directory?

      Mid
    • Explain how SAML assertions work and the roles of the Identity Provider and Service Provider.

      Mid
    • What is the difference between a centralized identity provider and per-application authentication? What are the trade-offs?

      Mid
    • What is social login, and what are the risks of relying on a third-party identity provider?

      Mid
    • Compare SAML and OpenID Connect. Discuss their differences in data format, use cases, and when you would choose one over the other.

      Senior
    • What is the difference between SP-initiated and IdP-initiated SSO?

      Senior
    • What is federated identity, and how is trust established between organizations?

      Senior

    Multi Factor & Passwordless

    • Can you explain how OTP (One-Time Password) is used for verification in an authentication flow?

      Junior
    • Explain Multi-Factor Authentication (MFA). What are its common types such as TOTP, push-based, and biometrics, and their trade-offs?

      Mid
    • What are Passkeys / WebAuthn / FIDO2, and what problems do they solve compared to traditional password-based authentication?

      Mid
    • What is MFA fatigue/bombing, and how can it be mitigated?

      Mid
    • What is the difference between TOTP and HOTP one-time passwords?

      Mid
    • Why is SMS-based OTP considered a weaker second factor, and what attacks target it?

      Mid
    • How do magic-link and one-time-code passwordless flows work, and what are their trade-offs?

      Mid
    • How does biometric authentication work as a factor, and what do false-accept and false-reject rates mean?

      Mid
    • What is the role of recovery codes in MFA, and how should they be stored and handled?

      Mid
    • What is step-up (adaptive) authentication, and when would you require it?

      Senior
    • What does 'phishing-resistant authentication' mean, and why is WebAuthn considered phishing-resistant?

      Senior

    Session Management

    • Compare and contrast session-based authentication and token-based authentication such as JWT. Discuss their statefulness, scalability, and security trade-offs.

      Mid
    • Explain session fixation and session hijacking attacks. What are common mitigations?

      Mid
    • How can CSRF attacks impact authentication (against session cookies), and what are the primary defenses (SameSite cookies, anti-CSRF tokens)?

      Mid
    • What are the Secure, HttpOnly, and SameSite attributes for cookies, and how do they enhance security for session management?

      Mid
    • What is the difference between idle (inactivity) timeout and absolute session timeout, and why use both?

      Mid
    • How does server-side session invalidation on logout work, and why is stateless logout harder?

      Mid

    Api & Service Authentication

    • Describe the use cases and limitations of API keys for authentication.

      Junior
    • What is authentication in API design?

      Junior
    • What is the difference between a 401 Unauthorized and a 403 Forbidden response?

      Junior
    • Explain the API Gateway authentication pattern and its benefits.

      Mid
    • What is the role of authentication and authorization middleware, and why is their order important?

      Mid
    • Can you describe the process of authentication and authorization in Web APIs?

      Mid
    • Explain the HTTP authentication schemes — Basic, Digest, and Bearer — and how the Authorization header is used with each.

      Mid
    • What is the purpose of the WWW-Authenticate header and the 401 challenge in HTTP authentication?

      Mid
    • Discuss common patterns for service-to-service authentication in a microservices architecture, such as mTLS and signed service tokens.

      Senior
    • How do you implement authorization checks with JWT claims, especially in a microservices architecture?

      Senior
    • How does certificate-based (mutual TLS) authentication work as an identity mechanism?

      Senior
    • Should authorization be enforced at the API gateway or inside each service? Discuss the trade-offs.

      Senior
    • How is a token propagated across services in a microservices call chain, and what are the risks?

      Senior

    Zero Trust Architecture

    • What is Zero Trust Architecture? Explain its core principles, such as 'never trust, always verify' and continuous verification.

      Mid
    • How does Zero Trust differ from traditional perimeter-based security?

      Mid
    • How is identity important in Zero Trust Architecture?

      Mid
    • Explain the role of micro-segmentation in a Zero Trust model.

      Senior

    Authorization Vulnerabilities

    • What is Broken Authentication and what are common vulnerabilities that lead to it?

      Mid
    • What is Broken Access Control? Why is it considered one of the most critical OWASP vulnerabilities?

      Mid
    • Explain horizontal vs. vertical privilege escalation.

      Mid
    • What is broken object-level authorization (BOLA) or Insecure Direct Object References (IDOR), and how do you prevent them?

      Senior

    Authentication Attacks & Defenses

    • What is the difference between a brute-force attack and a dictionary attack, and what are common prevention methods for each?

      Junior
    • What are replay attacks in the context of authentication, and how can they be prevented (jti claim, short-lived tokens)?

      Mid
    • What is token theft (e.g., via XSS) and how can it be mitigated, especially when using JWTs?

      Mid
    • What is credential stuffing, and how does it differ from password spraying? How do you defend against each?

      Mid
    • What defenses against brute-force login attempts do you know — rate limiting, account lockout, CAPTCHA — and their trade-offs?

      Mid
    • What is account (username) enumeration, and how do timing and error-message differences leak it?

      Mid
    • How do you design a secure password-reset and account-recovery flow?

      Senior
    • What is an open-redirect vulnerability via the redirect_uri in OAuth, and how do you prevent it?

      Senior

    Jwt Attacks

    • How does a weak signing secret enable a JWT attack, and how do you protect against it?

      Mid
    • Explain JWT-specific attacks such as 'alg:none' bypass and algorithm confusion (RS256 to HS256 downgrade). How are they mitigated?

      Senior