Multiple checks: valid card, active account, sufficient level
Enterprise security architecture
Visual Security Feedback
LEDs indicate system state
Security cameras, alarm panels
Escalating Lockouts
Longer lockouts for repeated failures
Google account protection
Show code
{const container =document.getElementById('kc-auth-6');if (container &&typeof InlineKnowledgeCheck !=='undefined') { container.innerHTML=''; container.appendChild(InlineKnowledgeCheck.create({question:"A smart building system uses OAuth 2.0 for the mobile app and RFID for physical doors. An employee's phone receives an access token valid for 1 hour. If the employee is terminated at 10:30 AM and their token was issued at 10:00 AM, what is the security gap?",options: [ {text:"No gap - OAuth tokens are revoked immediately when an employee is terminated",correct:false,feedback:"Incorrect. Standard OAuth tokens are 'bearer tokens' - whoever has them can use them until expiration. Immediate revocation requires token introspection or short token lifetimes, which many systems do not implement."}, {text:"The employee can use the token until 11:00 AM unless token revocation is implemented",correct:true,feedback:"Correct! This is the 'token lifetime gap'. Unless the authorization server implements token revocation (RFC 7009) and the resource server checks revocation status, the token remains valid until expiration. This is why short token lifetimes and refresh token rotation are important."}, {text:"The building system will automatically sync with HR and disable the token",correct:false,feedback:"Incorrect. Automatic HR sync is a nice-to-have but not standard OAuth behavior. The token is cryptographically valid until expiration. Real-time revocation requires explicit implementation."}, {text:"OAuth tokens cannot be used for IoT systems so this scenario is invalid",correct:false,feedback:"Incorrect. OAuth 2.0 Device Authorization Grant (RFC 8628) is specifically designed for IoT and devices with limited input capabilities. OAuth is widely used in smart building systems."} ],difficulty:"hard",topic:"oauth-tokens" })); }}
1387.2 Challenge Exercises
TipChallenge 1: Add Time-Based Access Control
Modify the system so certain zones are only accessible during “business hours” (simulate with a time window). Requirements: - Server Room: Only accessible 9 AM - 5 PM - After hours, even admins need a special override code - Log all after-hours access attempts
TipChallenge 2: Implement Two-Person Rule
For high-security zones (Control Center), require two different admin cards within 30 seconds: 1. First admin presents card 2. System prompts “Waiting for second administrator…” 3. Second admin presents different card within time limit 4. Both must be admin level 5. If timeout or same card, deny access
TipChallenge 3: Add Temporary Access Passes
Implement visitor passes with expiration: - Create a new ACCESS_VISITOR level - Visitor cards expire after a set time (e.g., 8 hours from first use) - Track first-use timestamp per card - Automatically disable expired passes
TipChallenge 4: Implement Anti-Passback
Prevent “tailgating” by tracking entry/exit: - Users must exit a zone before re-entering - If card used for entry without previous exit, deny access - Track current zone for each user - Alert on anti-passback violations
Show code
{const container =document.getElementById('kc-auth-10');if (container &&typeof InlineKnowledgeCheck !=='undefined') { container.innerHTML=''; container.appendChild(InlineKnowledgeCheck.create({question:"A data center requires: (1) RFID badge scan, (2) fingerprint verification, and (3) PIN entry. An attacker steals an employee's badge. What can they access?",options: [ {text:"Full data center access - the badge contains all the required information",correct:false,feedback:"Incorrect. The badge is only one factor (something you have). The fingerprint (something you are) and PIN (something you know) are still required. Multi-factor authentication specifically defeats stolen credentials."}, {text:"Nothing without the employee's fingerprint and PIN - MFA requires all factors",correct:true,feedback:"Correct! Multi-factor authentication (MFA) requires factors from different categories: something you HAVE (badge), something you ARE (fingerprint), and something you KNOW (PIN). Stealing one factor is not enough - the attacker would need to compromise all three."}, {text:"The outer doors only - inner doors require additional biometrics",correct:false,feedback:"Incorrect. The scenario describes a single access point with all three factors required simultaneously. MFA does not mean different doors have different requirements."}, {text:"Everything if they guess the PIN - fingerprints can be bypassed",correct:false,feedback:"Incorrect. While fingerprint spoofing is possible, it requires physical access to the employee's fingerprints (lifting prints, creating molds). Combined with PIN guessing and the stolen badge, this would be an extremely sophisticated attack, not a casual bypass."} ],difficulty:"easy",topic:"multi-factor-authentication" })); }}
Show code
{const container =document.getElementById('kc-auth-14');if (container &&typeof InlineKnowledgeCheck !=='undefined') { container.innerHTML=''; container.appendChild(InlineKnowledgeCheck.create({question:"A fleet of 50,000 battery-powered soil moisture sensors needs MFA-style security but has only 128KB RAM, intermittent connectivity, and must last 5 years on a coin cell. The security team proposes: (1) Device certificate in secure element, (2) TOTP code generated every 30 seconds, (3) SMS confirmation to farmer. What is the critical flaw?",options: [ {text:"Secure elements are too expensive for low-cost sensors at scale",correct:false,feedback:"Incorrect. While cost is a concern, secure elements like ATECC608A cost under $1 in volume and are standard for IoT device identity. This is the least problematic part of the proposal."}, {text:"TOTP and SMS are infeasible for intermittent connectivity and would drain batteries rapidly",correct:true,feedback:"Correct! Soil sensors may connect once daily or less. TOTP requires time synchronization and frequent checks. SMS requires cellular connectivity and confirmation loops. Both drain batteries. For constrained IoT, asymmetric cryptography (certificate + challenge-response) provides strong authentication without interactive factors. The device proves identity through its certificate; the server challenges possession of the private key. No battery-draining polling or user interaction required."}, {text:"128KB RAM is insufficient to store the device certificate",correct:false,feedback:"Incorrect. X.509 certificates are typically 1-2KB, easily fitting in 128KB RAM. The secure element stores the private key separately in hardware. Certificate size is not the issue."}, {text:"Farmers cannot be expected to enter TOTP codes for 50,000 sensors",correct:false,feedback:"Partially true but not the critical flaw. While user interaction doesn't scale, the deeper issue is that constrained devices physically cannot maintain the connectivity and power budget for interactive MFA. Even if farmers were willing, the sensors cannot support it."} ],difficulty:"hard",topic:"iot-mfa-constraints" })); }}
TipChallenge 5: Add Emergency Override
Implement an emergency mode for fire/evacuation: - Special “EMERGENCY” command unlocks all doors - All access restrictions temporarily disabled - Heavily logged with alert - Auto-reverts after 10 minutes or manual reset - Requires special admin confirmation
Show code
{const container =document.getElementById('kc-auth-15');if (container &&typeof InlineKnowledgeCheck !=='undefined') { container.innerHTML=''; container.appendChild(InlineKnowledgeCheck.create({question:"A smart lock manufacturer adds fingerprint authentication to their deadbolt. During testing, they achieve 99.9% accuracy (0.1% false accept rate). With 1 million units deployed and 10 authentication attempts per lock per day, approximately how many false accepts occur daily across the fleet?",options: [ {text:"100 false accepts - acceptable error rate for biometrics",correct:false,feedback:"Incorrect. While 0.1% sounds small, scale matters: 1M locks × 10 attempts × 0.001 FAR = 10,000 daily false accepts across the fleet. This means 10,000 times per day, someone's fingerprint incorrectly unlocks someone else's door."}, {text:"10,000 false accepts - biometrics must be combined with other factors at scale",correct:true,feedback:"Correct! Even excellent biometric accuracy becomes problematic at scale. 0.1% FAR × 10M daily attempts = 10,000 false accepts. This is why critical systems combine biometrics with other factors (PIN, token) and use biometrics for convenience, not sole security. Biometrics work for '1:1 verification' (is this the right finger for this lock?) better than '1:N identification' (whose finger is this?)."}, {text:"1,000 false accepts - the 99.9% accuracy prevents most errors",correct:false,feedback:"Incorrect. You're off by a factor of 10. Calculate: 1,000,000 locks × 10 attempts/lock/day = 10,000,000 total attempts. 0.1% of 10M = 10,000 false accepts, not 1,000."}, {text:"0 false accepts - smart locks verify fingerprints against enrolled users only",correct:false,feedback:"Incorrect. While locks only compare against enrolled prints (1:few matching), the false accept rate still applies. If a random person's finger has 0.1% probability of matching any enrolled print, and you test 10M times, you get 10,000 false accepts."} ],difficulty:"hard",topic:"biometric-authentication-scale" })); }}
1387.3 What’s Next
After completing these challenge exercises, continue to: