✅ CompTIA Security+ MCQs 101–150: Security Implementation (Access, Authentication, PKI)

Preparing for the CISSP exam requires a strong command over security implementation concepts such as access control models, authentication methods, PKI, Kerberos, and digital signatures. In this section, we bring you 50 hand-picked MCQs (Q101–150) focused on Access, Authentication, and PKI, designed to test your knowledge and sharpen your exam readiness.

These MCQs are crafted for CISSP, CISM, CompTIA Security+, and ethical hacking aspirants, as well as IT professionals who want to strengthen their understanding of modern security architecture. Each question includes the correct answer with detailed explanation, ensuring clarity and learning value.

Q101. Which of the following is considered a Type 1 authentication factor?

A. Password
B. Smart card
C. Fingerprint
D. One-time PIN

Answer: C. Fingerprint
Explanation: Authentication factors fall into three categories:

Type 1: Something you know (e.g., password, PIN)
Type 2: Something you have (e.g., token, smart card)
Type 3: Something you are (biometrics like fingerprint, iris)
Since a fingerprint is a biometric, it belongs to Type 3. However, older CISSP references sometimes label biometrics as “Type 1,” but the modern NIST classification is as listed above. For exam purposes, fingerprint = biometrics (Type 3).

Q102. The principle of “least privilege” in access control requires:

A. Granting users access to all resources they might need
B. Limiting users to the minimum privileges necessary to perform their job
C. Allowing users to define their own access permissions
D. Assigning privileges based on seniority

Answer: B. Limiting users to the minimum privileges necessary to perform their job
Explanation: The least privilege principle minimizes risk by ensuring that users only have the rights they need to perform assigned tasks, reducing the attack surface.

Q103. In discretionary access control (DAC), access decisions are based primarily on:

A. System-enforced policies
B. The identity of the subject and access rules set by the owner
C. Role-based permissions
D. Security clearance levels

Answer: B. The identity of the subject and access rules set by the owner
Explanation: DAC allows resource owners to determine access. Unlike MAC (mandatory access control), DAC is identity-based and flexible, but potentially less secure.

Q104. Public Key Infrastructure (PKI) primarily provides which of the following?

A. Confidentiality, Integrity, Availability
B. Confidentiality, Authentication, Non-repudiation
C. Authentication, Integrity, Replication
D. Non-repudiation, Authorization, Accounting

Answer: B. Confidentiality, Authentication, Non-repudiation
Explanation: PKI uses asymmetric encryption (public/private keys) and digital certificates to ensure confidentiality (encryption), authentication (identity verification), and non-repudiation (digital signatures).

Q105. Which component of PKI is responsible for issuing digital certificates?

A. Registration Authority (RA)
B. Certificate Authority (CA)
C. Key Distribution Center (KDC)
D. Certificate Revocation List (CRL)

Answer: B. Certificate Authority (CA)
Explanation: The CA is the trusted third party that issues and manages digital certificates. The RA verifies identity before CA issues a certificate.

Q106. Which access control model is MOST appropriate for a military environment?

A. DAC
B. RBAC
C. MAC
D. ABAC

Answer: C. MAC
Explanation: Mandatory Access Control (MAC) enforces strict security policies, typically used in military and government environments, where classifications like “Top Secret” and “Confidential” apply.

Q107. A digital signature is created using:

A. The sender’s private key
B. The sender’s public key
C. The recipient’s public key
D. The recipient’s private key

Answer: A. The sender’s private key
Explanation: A digital signature is generated using the sender’s private key and verified by the recipient with the sender’s public key. This ensures integrity and non-repudiation.

Q108. Kerberos is primarily used for:

A. Enforcing discretionary access control
B. Providing mutual authentication using tickets
C. Encrypting email communication
D. Performing password resets

Answer: B. Providing mutual authentication using tickets
Explanation: Kerberos uses a Key Distribution Center (KDC) to issue tickets for secure, mutual authentication between clients and services in a network.

Q109. Which of the following is a drawback of biometric authentication?

A. Difficult to forge
B. Cannot be stolen
C. High false acceptance/rejection rates
D. Easy scalability

Answer: C. High false acceptance/rejection rates
Explanation: Biometrics improve security but suffer from challenges like false acceptance rate (FAR) and false rejection rate (FRR), along with high costs and privacy issues.

Q110. In PKI, the process of checking if a certificate is still valid involves:

A. Encryption
B. CRL or OCSP
C. Digital Signatures
D. Non-repudiation

Answer: B. CRL or OCSP
Explanation: A Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) is used to check the revocation status of certificates.

Q111. Which authentication method provides the HIGHEST assurance level?

A. Single-factor authentication
B. Multifactor authentication
C. Passwords only
D. Smart cards only

Answer: B. Multifactor authentication
Explanation: Using two or more different categories (e.g., password + smart card + fingerprint) provides the strongest protection.

Q112. Which of the following BEST describes a one-time password (OTP)?

A. A static password stored securely
B. A temporary password valid for only one login session
C. A PIN used repeatedly
D. A biometric factor

Answer: B. A temporary password valid for only one login session
Explanation: OTPs enhance security because they expire after one use, reducing the risk of replay attacks.

Q113. Role-Based Access Control (RBAC) assigns permissions based on:

A. The user’s identity
B. The user’s clearance level
C. The user’s job role
D. The system administrator’s discretion

Answer: C. The user’s job role
Explanation: RBAC assigns access based on predefined roles (e.g., HR, Finance, Admin), ensuring consistent and efficient privilege assignment.

Q114. The “something you have” authentication factor includes:

A. Password
B. Iris scan
C. Token or smart card
D. Security questions

Answer: C. Token or smart card
Explanation: This factor relies on possession — tokens, cards, or mobile apps for verification codes.

Q115. In PKI, which key is used to encrypt a message for confidentiality?

A. Sender’s private key
B. Sender’s public key
C. Recipient’s public key
D. Recipient’s private key

Answer: C. Recipient’s public key
Explanation: For confidentiality, data is encrypted with the recipient’s public key, ensuring only the recipient’s private key can decrypt it.

Q116. Which of the following is a weakness of discretionary access control (DAC)?

A. Users can share access rights with others
B. Too rigid for commercial use
C. Difficult to implement
D. Requires strict classification labels

Answer: A. Users can share access rights with others
Explanation: DAC is flexible but less secure because owners can grant others access, increasing insider threat risks.

Q117. Which of the following provides real-time certificate validation?

A. CRL
B. OCSP
C. RA
D. KDC

Answer: B. OCSP
Explanation: Online Certificate Status Protocol (OCSP) checks the revocation status of a certificate in real-time, unlike CRLs, which are periodically updated.

Q118. What is the main purpose of a Registration Authority (RA) in PKI?

A. Issue certificates directly
B. Revoke expired certificates
C. Verify user identity before CA issues a certificate
D. Maintain CRLs

Answer: C. Verify user identity before CA issues a certificate
Explanation: The RA verifies the requesting party’s identity but does not issue certificates itself; that’s the CA’s role.

Q119. Which of the following BEST mitigates replay attacks?

A. Firewalls
B. Time-stamped tokens
C. Symmetric encryption
D. Password complexity rules

Answer: B. Time-stamped tokens
Explanation: Replay attacks reuse valid credentials. Time-sensitive OTPs or tokens mitigate this by expiring quickly.

Q120. Which access control method dynamically evaluates attributes like time, location, and device?

A. DAC
B. RBAC
C. ABAC
D. MAC

Answer: C. ABAC
Explanation: Attribute-Based Access Control (ABAC) evaluates attributes such as user role, time of access, and device trust level for fine-grained control.

Q121. Which algorithm is most commonly used in digital signatures?

A. SHA-256
B. RSA
C. AES
D. Diffie-Hellman

Answer: B. RSA
Explanation: RSA is widely used for digital signatures, while SHA provides hashing, and AES provides symmetric encryption.

Q122. Which PKI component holds the list of revoked certificates?

A. CRL
B. RA
C. CA
D. OCSP

Answer: A. CRL
Explanation: A Certificate Revocation List (CRL) contains revoked certificates that are no longer trusted.

Q123. Which attack specifically targets biometric systems?

A. Brute force
B. Spoofing
C. Replay attack
D. SQL injection

Answer: B. Spoofing
Explanation: Biometric systems can be fooled with fake fingerprints or facial images, making spoofing a major concern.

Q124. Which type of access control is based on security labels?

A. RBAC
B. DAC
C. MAC
D. ABAC

Answer: C. MAC
Explanation: Mandatory Access Control (MAC) enforces security using labels (e.g., Secret, Top Secret).

Q125. Which authentication protocol uses tickets for session management?

A. Kerberos
B. RADIUS
C. TACACS+
D. CHAP

Answer: A. Kerberos
Explanation: Kerberos uses tickets issued by a KDC for authentication and session management.

Q126. What is the PRIMARY benefit of multi-factor authentication?

A. Convenience
B. Lower costs
C. Increased security through layered factors
D. Faster login speed

Answer: C. Increased security through layered factors
Explanation: MFA enhances security by combining multiple independent factors (knowledge, possession, biometric).

Q127. Which of the following is NOT a valid PKI trust model?

A. Hierarchical trust model
B. Peer-to-peer trust model
C. Hybrid trust model
D. Transactional trust model

Answer: D. Transactional trust model
Explanation: Valid PKI trust models are hierarchical, peer-to-peer, and hybrid. “Transactional” is not recognized.

Q128. Which access control type enforces policies based on business rules?

A. ABAC
B. DAC
C. RBAC
D. MAC

Answer: A. ABAC
Explanation: Attribute-Based Access Control (ABAC) can enforce dynamic business rules (e.g., “only during office hours from company devices”).

Q129. Which of the following ensures NON-repudiation in PKI?

A. Encryption
B. Digital Signatures
C. Hashing
D. Firewalls

Answer: B. Digital Signatures
Explanation: Digital signatures ensure that a sender cannot deny sending a message, providing non-repudiation.

Q130. In Kerberos, the Ticket Granting Ticket (TGT) is issued by:

A. Authentication Server (AS)
B. Ticket Granting Server (TGS)
C. KDC
D. Certificate Authority

Answer: A. Authentication Server (AS)
Explanation: The AS issues a Ticket Granting Ticket (TGT), which is then used to request service tickets from the TGS.

Q131. Which of the following provides centralized AAA services for remote users?

A. Kerberos
B. RADIUS
C. SSL
D. LDAP

Answer: B. RADIUS
Explanation: RADIUS provides Authentication, Authorization, and Accounting services, commonly used for VPN and remote access.

Q132. Which of the following is an asymmetric encryption algorithm?

A. DES
B. 3DES
C. AES
D. RSA

Answer: D. RSA
Explanation: RSA is asymmetric, while DES, 3DES, and AES are symmetric.

Q133. Which type of biometric has the lowest false acceptance rate (FAR)?

A. Fingerprint
B. Iris scan
C. Voice recognition
D. Hand geometry

Answer: B. Iris scan
Explanation: Iris scans are highly accurate with a very low FAR, making them reliable for high-security systems.

Q134. Which of the following is MOST resistant to brute force attacks?

A. Passwords
B. Biometric authentication
C. PINs
D. Passphrases

Answer: D. Passphrases
Explanation: Passphrases are long and complex, making brute force attacks significantly more difficult.

Q135. What does “AAA” stand for in security?

A. Authentication, Authorization, Accounting
B. Access, Authentication, Analysis
C. Authentication, Availability, Audit
D. Analysis, Authorization, Accounting

Answer: A. Authentication, Authorization, Accounting
Explanation: AAA frameworks manage security by validating identity, granting rights, and tracking activity.

Q136. Which of the following is NOT a form of multi-factor authentication?

A. Password + PIN
B. Password + Smart card
C. Password + Fingerprint
D. Smart card + Iris scan

Answer: A. Password + PIN
Explanation: Password and PIN are both “something you know,” hence single factor. MFA requires different factor categories.

Q137. Which protocol provides secure authentication by encrypting credentials?

A. PAP
B. CHAP
C. RADIUS
D. TACACS+

Answer: B. CHAP
Explanation: Challenge Handshake Authentication Protocol (CHAP) encrypts credentials, unlike PAP, which transmits in plain text.

Q138. Which key in PKI is kept secret and never shared?

A. Public key
B. Session key
C. Private key
D. Symmetric key

Answer: C. Private key
Explanation: The private key must remain secret. If exposed, the entire PKI trust is broken.

Q139. Which biometric factor is considered the LEAST intrusive?

A. Retina scan
B. Iris scan
C. Fingerprint
D. DNA analysis

Answer: C. Fingerprint
Explanation: Fingerprint scanning is quick, non-intrusive, and widely accepted, unlike retina or DNA scans.

Q140. Which of the following ensures that users cannot deny performing an action?

A. Hashing
B. Non-repudiation
C. Confidentiality
D. Availability

Answer: B. Non-repudiation
Explanation: Non-repudiation ensures accountability, usually through digital signatures.

Q141. In PKI, which party verifies the identity of the certificate requester?

A. RA
B. CA
C. OCSP
D. CRL

Answer: A. RA
Explanation: The Registration Authority (RA) performs identity checks before a CA issues the certificate.

Q142. Which protocol is used to securely manage network devices?

A. SNMPv1
B. Telnet
C. SSH
D. HTTP

Answer: C. SSH
Explanation: SSH (Secure Shell) provides encrypted management sessions, unlike Telnet or SNMPv1, which are insecure.

Q143. Which of the following is a disadvantage of PKI?

A. Provides encryption
B. Provides authentication
C. Complex and costly to implement
D. Enables digital signatures

Answer: C. Complex and costly to implement
Explanation: PKI offers many benefits but requires significant investment and maintenance.

Q144. Which access control mechanism is based on policies defined by the system owner, not the user?

A. MAC
B. DAC
C. RBAC
D. ABAC

Answer: A. MAC
Explanation: In Mandatory Access Control, policies are enforced by the system, not individual users.

Q145. Which authentication factor is most vulnerable to shoulder surfing?

A. Passwords
B. Smart cards
C. Biometrics
D. Tokens

Answer: A. Passwords
Explanation: Passwords can be observed and stolen visually (shoulder surfing).

Q146. Which type of cryptographic key provides better scalability for large organizations?

A. Symmetric
B. Asymmetric
C. Static
D. Shared secret

Answer: B. Asymmetric
Explanation: Asymmetric encryption (PKI) scales better because each user has a unique key pair, unlike symmetric keys.

Q147. What is the function of a Key Distribution Center (KDC) in Kerberos?

A. Manage CRLs
B. Generate and manage session keys
C. Verify digital signatures
D. Issue certificates

Answer: B. Generate and manage session keys
Explanation: The KDC manages authentication and issues session keys for secure communication.

Q148. Which of the following provides the STRONGEST authentication?

A. Strong password
B. Hardware token + biometric
C. PIN only
D. Security questions

Answer: B. Hardware token + biometric
Explanation: Combining two different strong factors (something you have + something you are) provides superior authentication.

Q149. Which of the following ensures data integrity?

A. Encryption
B. Hashing
C. Digital certificates
D. Tokens

Answer: B. Hashing
Explanation: Hash functions ensure data has not been altered in transit.

Q150. Which authentication method relies on digital certificates?

A. Passwords
B. Biometrics
C. PKI-based authentication
D. Security questions

Answer: C. PKI-based authentication
Explanation: PKI uses digital certificates for identity verification, providing authentication and trust.

You’ve just completed Security Implementation MCQs (Q101–150) covering access control models, multifactor authentication, Kerberos, PKI trust models, and digital signatures.

👉 For more practice, check out:

Stay consistent with your practice, and you’ll be exam-ready with confidence. 🚀