πŸ” CompTIA Security+ SY0-701 Β· Domains 1 & 4

Authentication & Access Control
MFA Β· DAC/MAC/RBAC/ABAC Β· Protocols Β· SSO & Federation

Master authentication factors, access control models, identity protocols (Kerberos, RADIUS, TACACS+), and federation standards (SAML, OAuth, OIDC) β€” with scenario-based quizzes and an IAM selector tool built for SY0-701.

🎯 Take the Practice Quiz
Authentication & Access Control Models

Authentication and access control appear across Domains 1 and 4 of SY0-701. Questions test your ability to identify the right authentication mechanism for a scenario and choose the correct access control model based on organizational requirements.

πŸ›οΈ
IAM = three separate questions: (1) Authentication β€” who are you? (verify identity). (2) Authorization β€” what can you do? (access control models). (3) Accounting β€” what did you do? (logging, AAA). These three form the AAA framework tested throughout SY0-701.
πŸ”
Auth Factors & MFA

Verify Identity

Authentication factors prove who you are. MFA requires two or more different factor categories β€” combining them makes account compromise dramatically harder.

Know: Password, PIN, security question Have: Token, smart card, OTP app Are: Fingerprint, retina, face scan MFA: Two+ different factor types
πŸ›οΈ
Access Control Models

Authorize What's Allowed

Access control models define who can access what. The right model depends on security requirements, flexibility needs, and organizational structure.

DAC: Owner grants access (Windows) MAC: Labels + clearances (gov/military) RBAC: Job roles grant access (enterprise) ABAC: Attribute policies (most flexible)
πŸ—οΈ
Identity Protocols

AAA Infrastructure

The protocols that carry authentication and authorization over the network. Each has specific use cases β€” the exam tests which protocol fits which scenario.

Kerberos: Ticket-based, Windows AD RADIUS: VPN/Wi-Fi AAA (UDP) TACACS+: Device admin (TCP, full encrypt) LDAP: Directory lookups (port 389/636)
🀝
SSO & Federation

One Login, Many Services

SSO and federation let users authenticate once and access multiple systems. The specific standard used depends on the architecture and application type.

SAML 2.0: XML SSO, enterprise browser OAuth 2.0: Authorization (NOT authn) OIDC: Authentication on top of OAuth Federation: Cross-org trust

The SY0-701 IAM Mindset

Know the purpose of each model and protocol, not just its name. The exam presents scenarios and asks which control fits β€” RBAC vs. ABAC, RADIUS vs. TACACS+, SAML vs. OAuth. The wrong answer usually fails one specific requirement in the scenario.

πŸ’‘
The biggest exam trap: OAuth 2.0 is an authorization framework β€” it grants an app permission to access resources on a user's behalf. It does NOT authenticate the user's identity. OpenID Connect (OIDC) adds authentication on top of OAuth 2.0. If the exam asks "which standard lets a user log in with their Google account" β†’ OIDC. If it asks "which lets an app access Google Calendar data" β†’ OAuth 2.0.
Take the Quiz β†’
Deep Dive: Each IAM Category

The mechanisms, protocols, models, and exam traps for each authentication and access control category in SY0-701.

πŸ” Authentication Factors & MFA Verify Identity

The Five Factor Categories
🧠
Knowledge
Something You Know
Password, PIN, passphrase, security question answer
πŸ“±
Possession
Something You Have
OTP app, hardware token, smart card, push notification
πŸ‘οΈ
Inherence
Something You Are
Fingerprint, retina, iris, face, voice, palm vein
πŸ“
Location
Somewhere You Are
GPS location, IP geolocation, network (office Wi-Fi only)
πŸ–±οΈ
Behavior
Something You Do
Typing cadence, mouse movement patterns, gait analysis
MFA (Multi-Factor Authentication)
Requires two or more different factor categories. Password + PIN = single factor (both knowledge) β€” NOT MFA. Password + OTP app = MFA (knowledge + possession). The categories must differ, not just the number of steps.
2+ different categories required
TOTP (Time-Based OTP)
Generates a new 6-digit code every 30 seconds using a shared secret + current timestamp. Google Authenticator, Microsoft Authenticator, Authy. Both the app and server compute the same code independently. Codes expire quickly β€” captured codes are useless after 30 seconds.
Time-based Β· 30-second window
HOTP (HMAC-Based OTP)
Counter-based OTP β€” a new code is generated each time the button is pressed (or a login is attempted). The server and token maintain synchronized counters. A valid code remains valid until used (look-ahead window for sync). RFC 4226.
Counter-based Β· Valid until used
FIDO2 / WebAuthn / Passkeys
Phishing-resistant passwordless authentication. Uses public-key cryptography: a private key stored on the device/authenticator, public key registered with the server. Hardware tokens (YubiKey), platform authenticators (Face ID, Windows Hello). Cannot be phished β€” tied to the specific origin domain.
Phishing-resistant Β· Passwordless
Smart Cards / PIV / CAC
Physical card with an embedded certificate and private key. PIV (Personal Identity Verification) is the US federal standard. CAC (Common Access Card) is the DoD version. Requires PIN to unlock the card β€” combines possession (card) + knowledge (PIN). Strong MFA for government.
Possession + knowledge Β· Government
Biometric Error Rates
FAR (False Acceptance Rate): Percentage of unauthorized users incorrectly accepted β€” a security risk. FRR (False Rejection Rate): Percentage of legitimate users incorrectly rejected β€” a usability problem. CER (Crossover Error Rate): The point where FAR = FRR β€” used to compare biometric system accuracy. Lower CER = better system.
FAR Β· FRR Β· CER
⚠️
MFA exam trap β€” factors must be different categories: A password + a PIN = two knowledge factors = NOT MFA. A fingerprint + a retina scan = two inherence factors = NOT MFA. MFA requires factors from different categories: e.g., password (know) + authenticator app (have) + fingerprint (are). The exam will test this distinction.
Exam keyword mapping "30-second expiring code" = TOTP Β· "Counter-based token" = HOTP Β· "Phishing-resistant, no password" = FIDO2/WebAuthn Β· "Federal/DoD card + PIN" = PIV/CAC Β· "FAR/FRR crossover" = CER Β· "Two factor types" = MFA

πŸ›οΈ Access Control Models Authorize Access

DAC β€” Discretionary Access Control
The resource owner decides who can access their data and sets permissions accordingly. Common in Windows NTFS (file owner sets ACL permissions). Flexible but risky β€” users may grant access too broadly. Linux standard permissions (rwxrwxrwx) are also DAC.
Owner-controlled Β· ACLs Β· Windows/Linux
MAC β€” Mandatory Access Control
Access based on security labels (classification level) assigned to data and clearance levels assigned to users. The OS/system enforces access β€” the owner cannot override it. Used in government/military environments. SELinux implements MAC. Bell-LaPadula model: No Read Up (can't read above clearance), No Write Down (can't write below classification).
Labels + clearances Β· Government Β· SELinux
RBAC β€” Role-Based Access Control
Access permissions are assigned to roles, and users are assigned to roles. Most common enterprise model. Simplifies administration β€” add/remove a user from a role rather than updating individual permissions. Risk: role explosion (too many fine-grained roles) and privilege creep (old roles not removed when job changes).
Roles β†’ permissions Β· Enterprise standard
ABAC β€” Attribute-Based Access Control
Fine-grained access based on attributes of the user (role, department, clearance), resource (classification, type), and environment (time of day, location, device). Most flexible model β€” policies can combine many attributes simultaneously. XACML is the policy language. Used in cloud environments and Zero Trust architectures.
Attributes + policies Β· Most flexible Β· Cloud
Rule-Based Access Control
Admins define static rules that apply to all users β€” rules are NOT based on user roles or identity. Examples: firewall rules (allow port 443 from any), time-of-day restrictions (no access outside 9am–6pm). Not the same as RBAC despite similar naming. Common source of exam confusion.
Admin-defined rules Β· Not role-based
Privilege Creep & Least Privilege
Privilege creep: Accumulation of access rights over time as users change roles but old access is never removed. Mitigated by periodic access reviews (recertification). Least privilege: Users should have only the minimum access needed for their current job β€” no more. A core Zero Trust principle.
Key concepts Β· Access review required
πŸ’‘
Bell-LaPadula vs. Biba models (MAC variants): Bell-LaPadula = confidentiality model. Rule: No Read Up (can't read higher classification), No Write Down (can't write to lower classification β€” prevents leaking secrets). Biba = integrity model. Rule: No Write Up (can't write to higher integrity level β€” prevents corruption), No Read Down (can't read lower integrity β€” prevents contamination).
Exam keyword mapping "Owner sets permissions, ACL" = DAC Β· "Security labels, clearances, government" = MAC Β· "Job roles, enterprise, role explosion" = RBAC Β· "Multiple attributes, time/location/department" = ABAC Β· "Admin rules, firewall, time-of-day" = Rule-Based Β· "No Read Up, No Write Down" = Bell-LaPadula (MAC)

πŸ—οΈ Identity & Directory Protocols AAA Infrastructure

Kerberos
Ticket-based authentication used in Windows Active Directory environments. Port 88. Key components: KDC (Key Distribution Center) = Authentication Server (AS) + Ticket Granting Server (TGS). Flow: User authenticates to AS β†’ receives TGT β†’ presents TGT to TGS β†’ receives service ticket β†’ presents to application server. Mutual authentication. Time-sensitive (5-minute clock skew tolerance).
Port 88 Β· Tickets Β· Windows AD Β· Mutual auth
LDAP / LDAPS
Lightweight Directory Access Protocol β€” queries directory services (like Active Directory) for user account information. Port 389 (plaintext), port 636 (LDAPS β€” encrypted). Hierarchical structure: DN (Distinguished Name), OU (Organizational Unit), CN (Common Name). LDAP is for lookups β€” authentication is done by Kerberos or NTLM, not LDAP itself.
Port 389/636 Β· Directory queries Β· Not auth
RADIUS
Remote Authentication Dial-In User Service β€” provides AAA for network access (VPN concentrators, wireless access points, network switches). Uses UDP ports 1812 (auth) and 1813 (accounting). Encrypts only the password field, not the full packet. Client-server: NAS (Network Access Server) forwards credentials to RADIUS server.
UDP 1812/1813 Β· VPN/Wi-Fi Β· Password-only encrypt
TACACS+
Terminal Access Controller Access-Control System Plus β€” Cisco-developed (now open). Provides AAA for network device administration (router/switch configuration). Uses TCP port 49. Fully encrypts the entire packet (not just the password). Separates Authentication, Authorization, and Accounting into independent processes for granular command-level authorization.
TCP 49 Β· Full encryption Β· Device admin Β· Cisco
AAA Framework
Authentication: Who are you? (verify identity β€” username/password/MFA). Authorization: What can you do? (permissions, access control models). Accounting: What did you do? (session logs, audit trails, compliance reporting β€” duration, bytes transferred, commands run). RADIUS and TACACS+ both implement AAA.
Auth + Authz + Accounting
NTLM (NT LAN Manager)
Legacy Windows authentication protocol using a challenge-response mechanism. Replaced by Kerberos for domain authentication in modern Windows. Still used in some scenarios: workgroup environments (no AD), some legacy apps, and when authenticating by IP address (not hostname). Vulnerable to pass-the-hash attacks. Avoid when possible.
Legacy Windows Β· Challenge-response Β· Pass-the-hash risk
Kerberos Authentication Flow
1
User β†’ Authentication Server (AS)"I am Alice" + encrypted timestamp (proves knowledge of password hash). No password sent
2
AS β†’ User: TGT (Ticket Granting Ticket)Encrypted with the KDC's secret key. Alice cannot read it β€” but carries it to the TGS.
3
User β†’ Ticket Granting Server (TGS)"I need to access the file server" + TGT. No re-authentication needed
4
TGS β†’ User: Service TicketEncrypted with the file server's secret key. Alice presents this to the file server.
5
User β†’ File Server: Service TicketFile server decrypts it (proves KDC issued it) and grants access. Mutual auth
⚠️
RADIUS vs. TACACS+ β€” the critical distinctions: (1) RADIUS uses UDP; TACACS+ uses TCP. (2) RADIUS encrypts only the password; TACACS+ encrypts the entire packet. (3) RADIUS is for network access (VPN, Wi-Fi); TACACS+ is for network device administration (router/switch commands). (4) TACACS+ separates A/A/A independently; RADIUS bundles authentication and authorization. Exam questions often hinge on "command-level authorization" or "full packet encryption" β†’ TACACS+.

🀝 SSO & Federation One Login, Many Services

SAML 2.0 (Security Assertion Markup Language)
XML-based SSO standard for enterprise browser-based applications. Three roles: User (browser), IdP (Identity Provider β€” authenticates the user, e.g., Okta, AD FS), SP (Service Provider β€” the app, e.g., Salesforce). SP redirects to IdP β†’ IdP authenticates β†’ IdP returns XML assertion β†’ SP grants access. No credentials sent to the SP.
XML Β· Enterprise SSO Β· IdP + SP
OAuth 2.0
Authorization framework β€” NOT authentication. Grants a third-party application limited access to a user's resources on another service without sharing credentials. Example: "Allow this calendar app to read your Google Calendar." Tokens: access token (short-lived), refresh token (long-lived). Does NOT prove who the user is β€” only that they authorized access.
Authorization only Β· Delegated access Β· Tokens
OpenID Connect (OIDC)
An authentication layer built on top of OAuth 2.0. Adds an ID token (a JWT β€” JSON Web Token) that contains claims about who the user is. Enables "Sign in with Google/Apple/Microsoft" flows. OIDC = authentication (who are you?). OAuth 2.0 = authorization (what can the app access?). Both are typically used together for modern apps.
Authentication Β· JWT ID token Β· Builds on OAuth
Federation
A trust relationship between two separate identity domains β€” allowing users from one organization to access resources in another without creating a new account. Example: A company's employees log in to a partner's system using their corporate credentials. Implemented via SAML or OIDC. Each organization manages its own IdP.
Cross-org trust Β· Single identity
SSO (Single Sign-On)
Log in once and access multiple applications without re-entering credentials. Benefits: reduced password fatigue, fewer help-desk password resets, centralized access control. Risk: the IdP becomes a single point of failure and a high-value attack target β€” MFA on the IdP is critical. Implemented via SAML (enterprise) or OIDC (modern).
One login Β· Multiple apps Β· IdP is critical target
JWT (JSON Web Token)
A compact, signed token used in OIDC and OAuth 2.0. Three parts: Header (algorithm), Payload (claims: sub, email, exp, iat, etc.), Signature (verifies token wasn't tampered with). Base64URL-encoded. The signature is verified with the IdP's public key β€” no round-trip needed. Stateless: the server doesn't need to look up session state.
Header.Payload.Signature Β· Stateless Β· OIDC
SAML SSO Flow
1
User visits Salesforce (SP)Not logged in. Salesforce detects no session.
2
SP redirects to IdP (e.g., Okta)Browser redirects with a SAML authentication request. User logs into Okta with corporate credentials + MFA.
3
IdP issues SAML AssertionXML document signed by IdP's private key. Contains user identity, attributes, and validity period.
4
Browser posts Assertion to SPSalesforce verifies IdP's signature, reads user attributes, creates session. Access granted β€” no credentials ever sent to Salesforce.
⚠️
OAuth vs. OIDC β€” the exam's most common federation trap: OAuth 2.0 answers the question "What can this app do on your behalf?" β€” it's authorization. OIDC answers "Who is this user?" β€” it's authentication. "Sign in with Google" uses OIDC. "Allow this app to post on your Twitter" uses OAuth. The two are used together: OIDC for authentication + OAuth for authorization of resource access.
Side-by-Side Comparison

Filter by category or view all. Focus on the distinguishing features that determine the right control for each scenario.

Criterion πŸ” Auth/MFA πŸ›οΈ Access Control πŸ—οΈ Protocols 🀝 SSO/Federation
Core Question Who are you? (identity verification) What can you access? (authorization) How is auth/authz transmitted? (AAA protocol) Can you use your existing identity here? (trust)
Key Models Know / Have / Are / Location / Behavior + MFA DAC / MAC / RBAC / ABAC / Rule-Based Kerberos / RADIUS / TACACS+ / LDAP / NTLM SAML 2.0 / OAuth 2.0 / OIDC / Federation
Most Flexible FIDO2/Passkeys β€” phishing-resistant, no password ABAC β€” policies combine multiple attributes TACACS+ β€” separates A/A/A independently OIDC β€” modern, API-friendly, mobile-compatible
Government / High Security Smart card (PIV/CAC) β€” possession + knowledge MAC β€” labels and clearances, SELinux Kerberos β€” mutual auth, no password on wire SAML 2.0 β€” mature, widely audited standard
Key Limitation Biometrics: FAR/FRR trade-off; TOTP: phishable; SMS OTP: SIM-swap vulnerable DAC: users over-share; MAC: rigid; RBAC: role explosion; ABAC: complex policies RADIUS: UDP (unreliable), password-only encryption; Kerberos: requires time sync SAML: XML complexity; OAuth: not for authentication; SSO: IdP = single point of failure
Exam Keyword "Phishing-resistant" = FIDO2 Β· "30-sec code" = TOTP Β· "CER/FAR/FRR" = Biometrics "Labels/clearances" = MAC Β· "Roles" = RBAC Β· "Multiple attributes" = ABAC Β· "Owner sets" = DAC "VPN/Wi-Fi AAA" = RADIUS Β· "Command-level, full encrypt" = TACACS+ Β· "Tickets, AD" = Kerberos "Enterprise SSO, XML" = SAML Β· "Authorization, not authn" = OAuth Β· "Sign in with Google" = OIDC
Typical Use Case Login flows, remote access, VPN, privileged admin access File system permissions, cloud IAM policies, database access control Enterprise networks, Windows domains, VPN gateways, managed switches/routers Enterprise SaaS apps, cross-org partner access, mobile/API authentication
Exam-Style Vignettes

Read each scenario and identify the correct IAM answer before checking the breakdown.

πŸ” Auth/MFAChoosing the Right MFA Method
"A financial institution's security team has experienced several account takeovers caused by attackers who used phishing sites to capture both passwords and TOTP codes in real time (real-time phishing proxy attacks). The team wants to deploy the strongest available MFA that cannot be captured by phishing. What should they deploy?"
Correct AnswerFIDO2 / WebAuthn (hardware keys like YubiKey or platform authenticators like Face ID). The credential is cryptographically tied to the specific origin domain β€” a phishing site on a different domain cannot obtain a valid response.
Why Not TOTP?TOTP codes can be captured in real-time phishing proxy attacks β€” the attacker captures the code and immediately replays it on the legitimate site within the 30-second window.
Why Not SMS OTP?SMS is vulnerable to SIM-swapping and SS7 interception attacks β€” weakest MFA form.
Exam Key"Phishing-resistant MFA," "cannot be captured in real-time" β†’ FIDO2/WebAuthn/Passkeys
πŸ›οΈ Access ControlSelecting the Right Access Model
"A hospital needs an access control model where doctors can access patient records in their own department at any time, but access is automatically blocked after business hours for non-emergency staff, and contractors can only access specific systems relevant to their current project β€” no matter how the IT team configures things manually."
Correct AnswerABAC β€” policies combining user attributes (role=doctor, department=cardiology), resource attributes (patient department), and environment attributes (time of day, contractor status) enforce all three requirements simultaneously.
Why Not RBAC?RBAC can handle role-based access (doctor/nurse/contractor) but cannot natively enforce time-of-day restrictions or cross-reference department attributes without building many overlapping roles.
Why Not MAC?MAC uses fixed labels/clearances β€” it's too rigid for the dynamic, multi-attribute requirements here.
Exam Key"Time of day," "department match," "multiple conditions simultaneously" β†’ ABAC
πŸ—οΈ ProtocolsRADIUS vs. TACACS+
"A network team manages 200 Cisco routers. They need to authenticate administrators, authorize which commands each admin tier can execute (Tier 1 = read-only, Tier 2 = full access), and log every command entered for compliance. All credentials and commands must be encrypted in transit."
Correct AnswerTACACS+ β€” separates Authentication, Authorization, and Accounting independently; provides granular command-level authorization; encrypts the entire payload (not just the password).
Why Not RADIUS?RADIUS encrypts only the password field β€” commands and attributes are transmitted in cleartext. RADIUS also bundles authentication and authorization, making command-level authorization harder to implement.
Why Not Kerberos?Kerberos provides mutual authentication but does not natively provide command-level authorization for network device administration.
Exam Key"Command-level authorization," "full encryption," "device administration" β†’ TACACS+
🀝 SSO/FederationOAuth vs. OIDC
"A startup is building a productivity app. They want to: (1) allow users to log in using their existing Google account instead of creating a new password, and (2) with the user's permission, read their Google Calendar to display upcoming meetings in the app."
Authentication (Goal 1)OpenID Connect (OIDC) β€” adds an ID token to the OAuth flow that proves who the user is. "Sign in with Google" uses OIDC to authenticate the user's identity.
Authorization (Goal 2)OAuth 2.0 β€” grants the app a scoped access token to read Google Calendar data on the user's behalf, without the user ever sharing their Google password with the app.
Key DistinctionOIDC answers "Who is this user?" OAuth 2.0 answers "What resources can this app access?" They work together: OIDC for login, OAuth for resource access.
Exam Key"Sign in with" = OIDC (authentication). "Access calendar/contacts/data" = OAuth (authorization).
⚠️
Top 5 IAM exam traps: (1) Password + PIN = NOT MFA (both knowledge factors). (2) OAuth 2.0 is authorization only β€” not authentication. (3) RADIUS encrypts password only; TACACS+ encrypts everything. (4) Rule-based access control β‰  Role-based access control (RBAC). (5) Privilege creep = old roles not revoked after a job change β€” mitigated by periodic access reviews, not by adding more roles.
Practice Quiz

10 scenario-based questions with per-category breakdown β€” built around actual SY0-701 scenario question patterns.

Question 1 of 10

Auth/MFA
β€”
Access Control
β€”
Protocols
β€”
SSO/Federation
β€”
IAM Selector Tool

Answer 2–3 questions to identify the most appropriate identity and access management control for your scenario.

What IAM problem are you trying to solve?
Choose the goal that best describes your scenario.
What are the key requirements for authentication?
How should access be determined?
What are you authenticating?
What type of SSO or federation?
Memory Hooks & Mnemonics

Click each card to flip it and reveal the mnemonic.

πŸ‘† Tap a card to flip

πŸ”
MFA
What counts as true MFA?
Password + PIN = NOT MFA.
Password + phone app = MFA.
MFA requires factors from DIFFERENT categories: know + have, or know + are. Two passwords = still single factor. Two biometrics = still single factor. The categories must differ.
πŸ—ΊοΈ
Access Control
DAC / MAC / RBAC / ABAC β€” quick recall?
Owner Β· Labels Β· Roles Β· Attributes
DAC = owner decides. MAC = system enforces labels (govt). RBAC = roles = job functions (enterprise). ABAC = many attributes combined (most flexible, cloud). Each is more sophisticated than the last.
πŸ“‘
RADIUS vs TACACS+
Which for VPN, which for routers?
RADIUS = Remote users (VPN/Wi-Fi).
TACACS+ = Terminal admin (devices).
RADIUS: UDP, encrypts password only, network access. TACACS+: TCP, encrypts everything, device administration with command-level authorization. "Full encryption + command control" = TACACS+.
🎫
Kerberos
What is a TGT and why does it matter?
"Log in once, get a golden ticket, use it all day."
TGT = Ticket Granting Ticket. You prove your identity to the AS once β†’ get TGT β†’ use TGT to get service tickets all day without re-entering credentials. KDC = AS + TGS. No password travels on the network.
🀝
OAuth vs OIDC
Which authenticates, which authorizes?
OAuth = "what can you do?" OIDC = "who are you?"
OAuth 2.0 = authorization only (grants resource access, issues access tokens). OIDC = authentication (adds ID token proving who the user is, built on top of OAuth). "Sign in with Google" = OIDC. "Access your calendar" = OAuth.
πŸ›οΈ
Bell-LaPadula
What model and what are the rules?
No Read Up. No Write Down.
Confidentiality model (MAC).
Bell-LaPadula enforces confidentiality. A Secret-cleared user: cannot read Top Secret (no read up), cannot write to Unclassified (no write down β€” prevents leaking). Biba is the opposite for integrity: no write up, no read down.
πŸ“±
TOTP vs HOTP
What's the difference?
TOTP = Time (30 sec). HOTP = Counter (button press).
TOTP codes expire every 30 seconds β€” captured codes become useless quickly. HOTP codes are counter-based β€” valid until used. Google Authenticator = TOTP. Hardware RSA tokens with a button = HOTP. TOTP is more common in modern apps.
πŸ”
Privilege Creep
What is it and how do you stop it?
"Roles accumulate. Reviews reclaim."
Privilege creep = user gains new roles as jobs change but old access is never revoked. The fix: periodic access reviews (recertification campaigns) where managers re-approve every access right. Also mitigated by separation of duties and least privilege enforcement.

SY0-701 Quick-Recall Cheat Sheet

If the exam says…Key detailAnswer
"Phishing-resistant MFA," "TOTP captured in real-time attack"Tied to origin domain cryptographicallyFIDO2 / WebAuthn / Passkeys
"30-second code," "authenticator app"Time-based, expires quicklyTOTP
"FAR/FRR crossover point"Where FAR = FRR β€” system accuracy metricCER (Crossover Error Rate)
"Federal ID card + PIN," "DoD," "PIV"Possession + knowledgeSmart Card (PIV/CAC)
"Owner controls access," "NTFS permissions," "ACL"User-discretionaryDAC
"Security labels," "clearance levels," "government/military"System-enforced, SELinuxMAC
"No Read Up, No Write Down"Confidentiality-focused MACBell-LaPadula Model
"Job roles," "enterprise," "role explosion," "least privilege"Role-centricRBAC
"Time of day + department + device type + role"Multi-attribute policiesABAC
"VPN auth," "Wi-Fi authentication," "AAA for network access," "UDP"Password-only encryptedRADIUS
"Router admin," "command-level authorization," "full encryption," "TCP 49"Separates A/A/ATACACS+
"Tickets," "TGT," "Windows AD," "KDC," "mutual auth"Port 88, no password on wireKerberos
"Enterprise SSO," "XML assertion," "IdP + SP," "Salesforce/Workday"Browser-based, mature standardSAML 2.0
"Sign in with Google/Apple," "ID token," "JSON"Authentication on top of OAuthOpenID Connect (OIDC)
"App accesses calendar/contacts without your password"Authorization only, not authOAuth 2.0
πŸŽ“ Security+ Exam Prep Platform

Ready to Pass Security+?
Get Everything You Need in One Place.

These concept pages are just the start. FlashGenius gives you a complete Security+ prep toolkit β€” practice tests, flashcard decks, domain cheat sheets, and scenario quizzes built for SY0-701.

🎯 Practice Tests
πŸƒ Flashcard Decks
πŸ“„ Domain Cheat Sheets
πŸ“Š Scenario Quizzes
🧠 Memory Hooks
πŸ” All 5 Domains
πŸš€ Start Free on FlashGenius View All Security+ Resources β†’
Free to register Β· No credit card required Β· Trusted by Security+ candidates