Security Engineering

Authentication & Identity

9 practice questions. Free questions open a full answer guide; the rest unlock with Pro.

  • Why is SMS or TOTP-based MFA considered weaker than passkeys, and what makes an authentication factor phishing-resistant? Mid level
  • When your service accepts a JWT as proof of identity, what does correct validation look like, and what are the classic mistakes that let an attacker forge or replay one?Go Pro Mid level
  • What's the difference between session-based authentication and token-based (JWT) authentication, and how do you keep the credential safe in the user's browser either way?Go Pro Junior level
  • What is the difference between authentication and authorization, and where do OAuth 2.0 and OpenID Connect fit?Go Pro Junior level
  • What is multi-factor authentication, and why are some MFA methods considered stronger than others?Go Pro Junior level
  • Bearer tokens can be stolen and replayed. How do you make an OAuth access token useless to an attacker who exfiltrates it, and what are the trade-offs of the options?Go Pro Senior level
  • What's the difference between OAuth 2.0 and OpenID Connect, and when would you reach for each?Go Pro Mid level
  • Why are static, long-lived credentials in CI and across services considered an anti-pattern, and how do you replace them with short-lived workload identity?Go Pro Senior level
  • Your company has MFA on everything but is still seeing account takeovers. How do you reason about why MFA is being bypassed and what you'd move the organization toward?Go Pro Senior level
Want questions matched to your role? Paste a job title, job description, or CV for a personalized set, or go Pro to unlock the full bank.