CISSP Practice question #71

When using username and password online, what else can we use for multifactor authentication?
A: PINs.
B: Passphrases.
C: Challenge response.
D: Cookies.

CBK 5: Identity and Access Management
Source: practice tests


D: The cookie is a possession factor, we still have multifactor authentication with the username, password and cookie. Username and password are knowledge factors just like PINs, passphrases and challenge response.

show less

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

You may also like


  1. I understand that, but you have it in your possession, assume that is why ISC2 see’s it as type 2.
    A lot of what I had to do this week teaching the Air Force was train them to answer ISC2 way and not what they do in their daily lives.
    Answer it the ISC2 way.
    Most answer wrong on cookies and one-time passwords being type 2 authentication.

    1. How is the system that implements a cookie for an authentication mechanism going to be able to uniquely identify a subject prior to authentication?

      Cookies were designed to function after authentication and maintain active sessions.

    2. Most of them are used as “multi factor”, we can argue if that is true, ISC2 feels it is.
      You authenticate to your bank using your phone (most often then send a SMS), the cookie subsequently works as the multi factor.

    3. The cookie isn’t identifying you as you.

      The phone that the user registered for 2FA is the identifying component.

      The ultimate premise behind it is…I shouldn’t be able to snag all the information I need in a single XSS attack. Cookies, pwds, PINs are all fair game. I’d have to physically steal the device.

  2. Usernames and passwords are Type 1 authentication, to get multifactor we need type 2 or 3.
    Pin and passphrases are both knowledge factors, challenge response can be 1 or 2, cookies are only type 2.
    It really is a most right answer scenario, which I recommend being able not only to answer why a question is right, but also why the rest are wrong (or less right).

    1. 1,2 are the same type 1 with password then being eliminated. Challenge-Response could be in form of password – type 1(e.g. in CHAP) or type 2 with asynchronous token. Cookie setting is device authentication then it belong to type 2.

  3. Challenge response can be both knowledge factor and possession factor (type 1/2), cookies are purely possession factors.
    Challenge response can also be where were you born.
    There will be questions with “Most” right answers.
    In this case D would be the most right.

Leave a Reply