CompTIA Security Plus Mock Test Q950

A small company has a website that provides online customer support. The company requires an account recovery process so that customers who forget their passwords can regain access. Which of the following is the BEST approach to implement this process?

A. Replace passwords with hardware tokens which provide two-factor authentication to the online customer support site.
B. Require the customer to physically come into the company’s main office so that the customer can be authenticated prior to their password being reset.
C. Web-based form that identifies customer by another mechanism and then emails the customer their forgotten password.
D. Web-based form that identifies customer by another mechanism, sets a temporary password and forces a password change upon first login.

Correct Answer: D
Section: Access Control and Identity Management

People tend to forget their passwords, thus you should have a password recovery system for them that will not increase risk exposure. Setting a temporary password will restrict the
time that the password is valid and thus decrease risk; and in addition forcing the customer to change it upon first login will make the password more secure for the customer.

Incorrect Answers:
A: Two-factor authentication is a security process in which the user provides two means of identification, one of which is typically a physical token, such as a card, and the other of
which is typically something memorized, such as a security code. But in this case the problem stems from a forgotten password.
B: Requiring customers to physically come in to the company’s main office is not a viable option – what if the customer is on a different continent?
C: Emailing customers their forgotten password is risky as the email can be intercepted, a forgotten password is best being eliminated from the system as a forgotten password if still
active can compromise your business as well as your customers.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 139, 142