Access Controls

The correct answer involves configuring the Audience Restriction condition to specify the unique entity identifier of each Service Provider.

This is the proper solution because:

The scenario describes a token replay attack where an attacker compromises a low-security application, extracts valid SAML tokens, and attempts to use them against a different application (the high-security billing system) within the same SSO federation. The key security requirement is to ensure each Service Provider only accepts tokens specifically intended for it.

The Audience Restriction is a SAML assertion condition specifically designed to prevent exactly this type of attack. When properly configured:

1. The Identity Provider includes an Audience element in the SAML assertion containing the unique entity identifier (URI) of the intended Service Provider
2. Each Service Provider validates that its own registered identifier is present in the Audience Restriction during assertion processing
3. If a token intended for Application A is presented to Application B, Application B will reject it because its identifier is not in the audience list
4. This creates application-level token binding that prevents cross-application token misuse, even when tokens are validly signed by a trusted IdP

Why the other answers are insufficient:

The AuthnContext element specifies authentication strength and methods used, which helps ensure users authenticated with appropriate mechanisms, but it does not bind tokens to specific Service Providers. An attacker could still replay a strong-authentication token from one application to another.

The SubjectConfirmation with bearer method and NotOnOrAfter timestamp provides temporal validity and confirms how the subject can be verified, but this doesn't prevent tokens from being used against unintended Service Providers within the valid time window.

The Conditions element with NotBefore and NotOnOrAfter timestamps restricts when tokens are valid temporally, preventing replay attacks after expiration. However, this does nothing to prevent using valid, unexpired tokens intended for one Service Provider against a different Service Provider during the valid time window.

The Audience Restriction is the specific SAML security control designed to ensure tokens can only be consumed by their intended recipients, making it the correct solution for preventing cross-application token misuse within an SSO federation.

The fundamental difference between Type 1 and Type 2 authentication factors lies in their nature and how they are stored or maintained.

Type 1 authentication factors ("something you know") are knowledge-based credentials that exist purely as information memorized by the user. This includes passwords, PINs, passphrases, and security questions. The key characteristic is that this information resides in the user's memory and cognitive space - there is no physical manifestation required.

Type 2 authentication factors ("something you have") require physical possession of a tangible item or device. This includes smart cards, security tokens, key fobs, mobile devices with authenticator apps, or USB security keys. The critical distinction is that these factors exist as physical objects external to the user that must be in their possession to authenticate.

This distinction is fundamental to multi-factor authentication (MFA) security principles. By combining factors from different categories, organizations create defense in depth - compromising one factor type doesn't compromise the entire authentication mechanism.

The other options present incorrect characterizations:

One option incorrectly attributes biological characteristics to Type 1 factors, when these actually represent Type 3 factors ("something you are"). Biometrics like fingerprints, facial recognition, and iris scans are inherent biological traits, not memorized knowledge.

Another option confuses the transmission method with the factor type itself. While knowledge factors can be transmitted electronically, this is not their defining characteristic. Additionally, not all possession factors require proximity-based or near-field communication - many work over standard network connections.

The final option focuses too narrowly on specific implementation details (password complexity policies and time-synchronized algorithms) rather than the fundamental conceptual difference between knowledge-based and possession-based authentication factors. While these may be features of certain implementations, they don't define the core distinction between the factor types.

The primary security weakness of SMS-based one-time passwords (OTPs) lies in the telecommunications infrastructure they traverse. SMS messages pass through signaling protocols, particularly the Signaling System 7 (SS7) protocol, which was designed decades ago without modern security considerations. SS7 vulnerabilities allow attackers to intercept SMS messages through various means, including routing manipulation and location tracking. Additionally, SIM swap attacks represent a critical threat where attackers social-engineer or bribe telecommunications providers to transfer a victim's phone number to a new SIM card under the attacker's control. Once the swap is complete, all SMS messages, including OTPs, are delivered to the attacker's device. These vulnerabilities exist at the telecommunications infrastructure level, making them difficult for end users or service providers to prevent.

In contrast, cryptographic authenticator methods (like TOTP apps or hardware tokens) generate codes locally using shared secrets and cryptographic algorithms, never transmitting the secret itself. This fundamental architectural difference eliminates the vulnerable telecommunications channel entirely.

The second option incorrectly suggests that SMS interception primarily occurs through radio frequency monitoring of shared transmission channels by adjacent users. While technically possible in very specific scenarios, this is not the primary vulnerability and requires sophisticated equipment and proximity. Modern cellular networks use encryption for over-the-air transmission, making this a marginal concern compared to SS7 and SIM swap attacks.

The third option misidentifies time synchronization drift as the primary weakness. While time-based OTP systems do require synchronization, this is a characteristic of TOTP algorithms themselves (used in both SMS and cryptographic authenticators), not a specific weakness of SMS delivery. Authentication systems typically have tolerance windows to accommodate minor drift.

The fourth option incorrectly claims SMS codes follow predictable patterns based on mobile numbers and carrier routing. OTP codes are generated using cryptographic functions with sufficient entropy to be unpredictable. The routing algorithms determine message delivery paths, not the code values themselves.