Authentication Systems Comprehensive Quiz & Projects

30 questions on Authentication Systems Tutorial.

Question 1: Why should developers use slow hashing algorithms (like bcrypt or Argon2) instead of fast hashes (like SHA-256) for storing passwords?

A. Slow hashes decrease the database size significantly.
B. Fast hashes are insecure and easy to decrypt mathematically.
C. Slow hashes increase computation time, making brute-force and dictionary attacks computationally expensive for attackers. — (correct answer)
D. Fast hashes do not support salt strings.

Explanation: bcrypt and Argon2 introduce deliberate computational delay (work factor), slowing down offline brute-force attacks on leaked databases.

Question 2: What is the purpose of the third part (Signature) of a JSON Web Token (JWT)?

A. To compress the token payload to fit in HTTP headers.
B. To cryptographically verify that the sender is who they claim to be and that the payload has not been tampered with. — (correct answer)
C. To encrypt the payload so users cannot read its contents.
D. To store the user's password securely on the client.

Explanation: The signature is created by hashing the header, payload, and a server-side secret key. It guarantees authenticity and integrity.

Question 3: Which OAuth 2.0 grant type is recommended for single-page web applications (SPAs) to maximize security?

A. Implicit Grant
B. Client Credentials Grant
C. Authorization Code Grant with PKCE (Proof Key for Code Exchange) — (correct answer)
D. Resource Owner Password Credentials Grant

Explanation: Auth Code with PKCE prevents authorization code interception attacks on public clients where client secrets cannot be securely stored.

Question 4: How does setting the HttpOnly flag on a session cookie protect users?

A. It prevents the cookie from being sent over unencrypted HTTP requests.
B. It instructs the browser to delete the cookie when the browser closes.
C. It blocks client-side scripts (JavaScript) from reading the cookie, mitigating token theft via Cross-Site Scripting (XSS). — (correct answer)
D. It prevents the cookie from being sent to third-party domains.

Explanation: HttpOnly stops JavaScript's document.cookie from accessing the cookie, protecting it from malicious XSS injection scripts.

Question 5: What security vulnerability does a Cross-Site Request Forgery (CSRF) token prevent?

A. Attackers injecting scripts into input fields to steal credentials.
B. Attackers tricking an authenticated user's browser into executing unwanted state-changing actions on a trusted site. — (correct answer)
C. Attackers executing SQL statements in database queries.
D. Attackers intercepting plain-text passwords over a public network.

Explanation: CSRF tokens ensure that request state changes are explicitly authorized by the user from the legitimate site frontend.

Question 6: What is the difference between Authentication and Authorization?

A. Authentication is verifying who you are, while Authorization is verifying what you have permission to do. — (correct answer)
B. Authentication is done in database tables, while Authorization runs in Javascript files.
C. Authentication is free, while Authorization requires subscriptions.
D. There is no difference; they are identical.

Explanation: AuthN checks credentials (login), while AuthZ checks permissions (RBAC/ACL).

Question 7: What is a 'Salt' in password hashing?

A. A code sequence that encrypts the database ports.
B. A unique, random string appended to a password before hashing, ensuring identical passwords yield different hash strings. — (correct answer)
C. A tool that deletes inactive accounts.
D. A compression algorithm for saving storage.

Explanation: Salting prevents attackers from using precomputed tables (rainbow tables) to reverse hashes.

Question 8: How does Multi-Factor Authentication (MFA) utilize TOTP (Time-based One-Time Password)?

A. By sending a static email passcode every 24 hours.
B. By hashing a shared secret key and the current Unix time step using HMAC-SHA1 to yield a dynamic 6-digit code. — (correct answer)
C. By monitoring the user's keystroke speed.
D. By validating the client's browser cookies.

Explanation: TOTP generates codes that change every 30 seconds, synced between client apps and servers.

Question 9: Which HTTP header holds bearer tokens during REST API authorization calls?

A. Authentication
B. Authorization — (correct answer)
C. Proxy-Authenticate
D. Token-Header

Explanation: Standard bearer auth uses the format 'Authorization: Bearer <token>' in request headers.

Question 10: What is the main security risk of the OAuth 2.0 Implicit Grant?

A. It is too slow for mobile apps.
B. It returns the access token directly in the redirect URL fragment, exposing it to browser logs and client scripts. — (correct answer)
C. It does not support SSL connections.
D. It requires manual admin approval on every request.

Explanation: Implicit grant is deprecated due to token leakage risks; Auth Code with PKCE succeeds it.

Question 11: What is the role of a Refresh Token in token-based authentication?

A. It updates the database index schemas.
B. It is a long-lived token used to request new short-lived access tokens without requiring the user to re-enter credentials. — (correct answer)
C. It clears browser history dynamically.
D. It encrypts the user's password.

Explanation: Refresh tokens minimize access token lifespans, lowering exposure risks on networks.

Question 12: How does the SameSite=Strict cookie attribute protect users?

A. It prevents cookies from being read by client scripts.
B. It stops the browser from sending cookies in any cross-site request, completely mitigating CSRF attacks. — (correct answer)
C. It restricts cookies to HTTPS connections.
D. It deletes cookies when browsers close.

Explanation: Strict ensures cookies are sent only when navigating within the original domain.

Question 13: What security metric does the 'work factor' or 'cost' adjust in bcrypt?

A. The number of database rows allowed.
B. The number of hashing iterations, scaling computation difficulty to match future hardware speeds. — (correct answer)
C. The length of the salt string.
D. The expiration time of session tokens.

Explanation: Adjusting the cost keeps the algorithm secure against faster computing hardware.

Question 14: What is the difference between symmetric and asymmetric token verification in JWTs?

A. Symmetric uses a shared secret key (HMAC), while Asymmetric uses public-private key pairs (RS256) where third parties verify using public keys. — (correct answer)
B. Symmetric is only used for admin accounts.
C. Asymmetric is faster and requires less memory.
D. Symmetric does not support expiration claims.

Explanation: RS256 is ideal for microservices where only the auth server has the private key to sign.

Question 15: Which hashing algorithm is currently considered deprecated and insecure for storing passwords?

A. Argon2id
B. MD5 — (correct answer)
C. bcrypt
D. PBKDF2

Explanation: MD5 is extremely fast and has collision flaws, allowing instant reverse lookups.

Question 16: What does the 'exp' claim in a JWT represent?

A. The execution path of the API.
B. The expiration timestamp of the token, after which it must be rejected. — (correct answer)
C. The experience level of the authenticated user.
D. The export format of the payload.

Explanation: JWT libraries parse 'exp' claims, throwing validation errors if the current time exceeds it.

Question 17: What is a 'Replay Attack' in authentication, and how is it mitigated?

A. Attackers repeating login requests; mitigated using rate limits.
B. Intercepting a valid session token and re-sending it to gain access; mitigated using short token lifespans, SSL/TLS, and nonces. — (correct answer)
C. Hacking the database schema.
D. Generating random tokens to brute force passwords.

Explanation: Encryption prevents sniffing; short lifespans limit the window of utility for leaked tokens.

Question 18: What is a 'Password Manager'?

A. A tool that deletes inactive passwords.
B. An application that securely stores, generates, and encrypts passwords locally or in cloud vaults. — (correct answer)
C. A database administrator.
D. A firewall service.

Explanation: Password managers promote unique, high-entropy passwords across web services.

Question 19: What does the 'Secure' attribute on a cookie guarantee?

A. The cookie is encrypted using AES-256.
B. The browser will only transmit the cookie over encrypted (HTTPS) connections. — (correct answer)
C. The cookie is accessible only to administrative accounts.
D. The cookie will expire in 24 hours.

Explanation: Secure blocks transmission of cookies over unencrypted HTTP, mitigating sniffing attacks.

Question 20: In OAuth 2.0, what is the role of the 'State' parameter?

A. Storing the user's location state.
B. Preventing Cross-Site Request Forgery (CSRF) by validating that the response state matches the request token state. — (correct answer)
C. Compacting token payloads.
D. Routing requests to target databases.

Explanation: The state parameter binds the client session to the auth flow request state.

Question 21: Which OAuth 2.0 grant type is used for server-to-server machine communication without a user?

A. Implicit Grant
B. Client Credentials Grant — (correct answer)
C. Authorization Code Grant
D. Resource Owner Password Grant

Explanation: Client Credentials grants access to microservices or scripts using app identifiers directly.

Question 22: What is single sign-on (SSO)?

A. Logging into a system using a single character password.
B. An authentication scheme that allows a user to log in with a single ID to any of several independent software systems. — (correct answer)
C. A database with a single user account.
D. A firewall configuration that permits only one connection.

Explanation: SSO uses central identity systems (e.g. SAML, OpenID Connect) to authenticate across apps.

Question 23: What is the purpose of OpenID Connect (OIDC)?

A. An open-source database wrapper.
B. An identity layer built on top of the OAuth 2.0 framework, allowing clients to verify the identity of end-users using ID Tokens. — (correct answer)
C. An encryption tool for media streams.
D. A routing protocol for DNS.

Explanation: OAuth 2.0 handles authorization (delegation); OIDC adds authentication (identity tokens).

Question 24: How does rate limiting protect a login endpoint from brute-force attacks?

A. By deleting the account after three failed attempts.
B. By limiting the number of requests an IP address or username can make within a specified timeframe (e.g., 5 requests per minute). — (correct answer)
C. By converting the login page to read-only.
D. By encrypting the login database tables.

Explanation: Rate limits restrict the speed of brute-force attempts, making password cracking impractical.

Question 25: What is a 'Federated Identity'?

A. A database schema that links tables together.
B. A portable identity model where a user's single identity is shared across multiple security domains (e.g. Log in with Google/GitHub). — (correct answer)
C. A secure authentication hardware device.
D. An internal network user group.

Explanation: Federation decouples authentication, delegating identity verification to trusted third parties.

Question 26: What is a 'Brute Force Attack'?

A. A SQL injection attack on database ports.
B. An attacker attempting to guess passwords or keys by trial and error using automated tools. — (correct answer)
C. A network physical cable hack.
D. An exploit of buffer overflows.

Explanation: Brute-force attacks cycle through combinations until they find matching credentials.

Question 27: What does standard Session Hijacking involve?

A. A SQL command replacing database variables.
B. An attacker stealing a user's session identifier (cookie/token) to impersonate the user. — (correct answer)
C. Deleting the application settings file.
D. Disabling the server firewall.

Explanation: If a session ID is stolen, attackers access the account without entering password details.

Question 28: What mathematical concept makes Argon2 highly resistant to GPU-based cracking attacks?

A. Modular exponentiation algorithms.
B. Being a memory-hard function that requires configurable amounts of RAM to calculate, restricting GPU parallel cracking speeds. — (correct answer)
C. Using double encryption cycles.
D. Cryptographic signatures.

Explanation: GPUs excel at parallel execution but have limited RAM per thread, making memory-hard functions slow to attack.

Question 29: How does a CAPTCHA protect registration endpoints from bots?

A. By encrypting input strings.
B. By requiring users to solve cognitive challenges that are difficult for automated scripts but easy for humans. — (correct answer)
C. By validating email formatting structures.
D. By checking IP geolocations.

Explanation: CAPTCHAs filter out automated scripts, protecting signup endpoints from mass creation.

Question 30: What is a 'JWT' (JSON Web Token)?

A. An open-source database engine.
B. A compact, URL-safe means of representing claims to be transferred between two parties, cryptographically signed. — (correct answer)
C. A python template engine.
D. A server operating system.

Explanation: JWTs hold self-contained payloads, widely used for stateless authentication in REST APIs.

Home
Authentication Systems Tutorial
Authentication Systems Comprehensive Quiz & Projects

Authentication Systems Comprehensive Quiz & Projects

Test your knowledge with interactive questions.

Ready to test your skills?

You are about to start a comprehensive quiz containing questions covering Authentication Systems Tutorial. You have 30 minutes to complete it.

Discussion (0)

Comments are reviewed before appearing.

No comments yet — be the first!

Featured

Browse All 21+ Subject Areas

Popular Topics

More Topics

Quick Links

Featured

Visual Algorithm Labs

Sorting Algorithms

Data Structures

Featured

Frontend Dev

Career Paths

Skill Tracks

Featured

The Future of Web Architecture in 2026

Categories

Community

Practice Quizzes

Authentication Systems Comprehensive Quiz & Projects

Ready to test your skills?

Correct!

Incorrect

Explanation

Quiz Navigator /

Current Score

Discussion (0)

Send Feedback / Bug

Feedback Submitted!