A security architect is designing a new authentication system for a high-security environment. The system must support passwordless authentication while providing strong protection against phishing attacks. Which of the following protocols best meets these requirements?
Trap 1: Kerberos with PKINIT
Kerberos with PKINIT uses certificates but still requires a password or PIN for the private key.
Trap 2: TOTP/HOTP
TOTP/HOTP require a shared secret and are susceptible to phishing if the token is intercepted.
Trap 3: X.509 certificates with smart cards
X.509 certificates provide strong authentication but are not passwordless; they require a PIN or biometric.
- A
Kerberos with PKINIT
Why wrong: Kerberos with PKINIT uses certificates but still requires a password or PIN for the private key.
- B
FIDO2/WebAuthn
FIDO2/WebAuthn uses device-bound keys and is phishing-resistant, enabling passwordless authentication.
- C
TOTP/HOTP
Why wrong: TOTP/HOTP require a shared secret and are susceptible to phishing if the token is intercepted.
- D
X.509 certificates with smart cards
Why wrong: X.509 certificates provide strong authentication but are not passwordless; they require a PIN or biometric.