4.3 Exercise 1: Classify the Authentication

🎯 How This Works

Each scenario describes a real authentication event. Before answering, type your prediction in the purple box — commit to a hypothesis first. Then answer the question and compare your reasoning to the feedback.

Why predict first? It keeps you from being swayed by a well-written distractor. AP MCQs are engineered so that the wrong choices sound plausible; knowing what you expect before you read the options is the most reliable defense.

✎ Guided Practice — 5 Scenarios
Scenario 1 of 5 — True or False MFA? A bank advertises “two-factor authentication” on its login page. To sign in, a customer must enter: (1) their 10-character password, and (2) answer a security question set at account creation (“What was your first pet’s name?”). A security auditor is asked whether this qualifies as true multi-factor authentication.
Predict First Name the factor category each input belongs to, then decide: is this true MFA?
Scenario 2 of 5 — Access Control Model A zero-trust cloud platform makes access decisions using rules like: “Allow access to finance-db if user.department = ‘Finance’ AND device.is_managed = true AND time_of_day between 08:00 and 18:00 AND request.geo_country = US.” Which access control model does this BEST describe?
Predict First What single word describes what the system is checking? That word is the model’s name.
Scenario 3 of 5 — Spot the Error in the Policy Memo A new IT administrator drafts this internal memo. Which statement contains a SECURITY ERROR that should be flagged before the memo is distributed?
INTERNAL MEMO: Account Policy Update
To: All Department Managers
From: IT Admin (new hire)

1. All new hires will receive a Standard User account on Day 1.
2. Managers with a business need may request elevated privileges.
3. To simplify troubleshooting, ALL support technicians will be
   granted Domain Admin rights indefinitely.
4. Privileged accounts will be audited quarterly.
Predict First Which principle from Lesson 4.3 does one of these lines directly violate?
Scenario 4 of 5 — Multi-Select (Which statements are TRUE?) A CISO is comparing MFA methods to roll out company-wide. Consider the following statements. Select ALL that are TRUE. No credit for selecting incorrect options.
Predict First Rank the four methods by phishing resistance before you read the statements. That ranking is the key to the answer.
Scenario 5 of 5 — Terminology Recall Fill in each blank with the correct term from Lesson 4.3.
Predict First Say the three terms aloud before typing. What do you expect to write?

1. The rule that every user and service should have ONLY the minimum access required to do their job is called the principle of .

2. When an attacker convinces a mobile carrier to transfer a victim’s phone number to a new SIM in order to steal SMS codes, the attack is called a .

3. The rule that no single person should be able to complete a sensitive end-to-end workflow alone is called .

0 / 5 Scenarios correct — review any missed answers, then move on to Exercise 2.
📚 Pattern to Remember

The AP Cyber MCQ question-design playbook for this topic is consistent: (1) test whether students confuse “two prompts” with “two factors,” (2) test which access control model fits a given policy language, (3) test whether students recognize principle-of-least-privilege violations in realistic memos, and (4) test the strength ordering of MFA methods. Predict-first works on all four.

AP Cybersecurity · Unit 4 · Lesson 4.3 · Exercise 1
LessonExercise 1LabQuiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]