Exam SY0-501 topic 1 question 900 discussion

A) TOKEN ,WRONG because it is a devise with 7 digit of temp pswd B) Static code= Wrong , it is a software testing issue before deploying into production C) Push Notification= Wong because we think of push notification like when an uber driver came to pick us for a ride, the app send push notification message saying your ride is ready. other forms of push notification include the battery percentage on your phone, the time, antenna signal, bluetooth all of them found in the upper left corner of your phone. These push notification just tell us information about our device if you see a low battery sign, you have to charge your battery. That all about push notification it is not an authentication protocol D) HOTP THIS IS THE CORRECT ANSWER BECAUSE: there are two types of otp( hotp and totp) what is OTP? is is a one time password sent via the users mobile phone or email account for instance when you loose your face book password you will try to reset the password, so to confirm your identity facebook send TOTP via your mobile phone or email account did you get that? move on the answer is D D D D D D D D D D D

Answer C To eliminate the option D= HOTP (HMAC-based One-Time Password) can be used in offline environments. HOTP is designed to generate one-time passwords based on a shared secret and a counter value, and it does not require a real-time connection to a server for authentication. So in an offline environment you cannot use email or mobile phone.

The answer is A. From CompTIA's book: "2-step verification or out-of-band mechanisms generate a software token on a server and send it to a resource assumed to be safely controlled by the user." Not B - obviously an organization isn't going to use a static code for 2-step verification Not C - CompTIA lists push notifications alongside email, phone, and SMS as methods that can receive the token sent by 2-step verification, therefore it can't be the authentication method because that's putting the cart before the horse Not D - here's the trick: the token key CAN be HOTP, but there's not enough information given to confirm it's HOTP. It could be TOTP, for example. So we're sticking with token key.

c---The organization implemented a two-step verification process that involves sending a code to an email address or mobile number, which the user must then enter to access the data. This process is commonly referred to as a one-time password (OTP) authentication, where a dynamic code is used for a single login attempt and expires after use. It is not a token key, static code, or HOTP authentication, which all involve a fixed, pre-generated code that is valid for multiple login attempts. A push notification authentication sends a notification to the user's device to verify their identity, but it does not involve a code that must be entered.

Im gonna go against the grain and say its C. Static code can be used many times. Whats the point of sending a code multiple times by email or text? If you get an email or text message, you get a notification (Except for very rare cases where the email client is on the web only). Push notifications are on PC and on mobile, according to The Comptia Sec+ Student Guide.

It's B for sure. The organization implemented a two-step verification process that uses an email address or mobile number to receive a code to access data, which indicates that the organization implemented the authentication method of static code. Static code, also known as one-time code, is a type of authentication method that provides a unique code that is sent to the user's email address or mobile number, which the user enters along with their password to access the data. Token key, push notification, and HOTP (HMAC-based One-Time Password) are all different types of authentication methods. Token key is a type of authentication that uses a physical device to generate a unique code, while push notification is a type of authentication that sends a push notification to the user's device, which the user must approve to access the data. HOTP is a type of authentication that generates a unique code based on a shared secret key and a counter.

Push Notifications: Unlike emails, a push notification doesn't open a separate app before seeing a message. Instead, that message is delivered directly to a personal device—their computer screen or mobile device—and instantly seen by the recipient. HOTP hash-based one-time password s an authentication method that can be sent to email. Answer D. HOTP is correct

HTOP is just wrong. From the wiki on HTOP -> "Both parties compute the HOTP" From the HTOP spec -> "The algorithm MUST be sequence- or counter-based: one of the goals is to have the HOTP algorithm embedded in high-volume devices such as Java smart cards, USB dongles, and GSM SIM cards." From the HTOP spec -> "The algorithm MUST use a strong shared secret. " In the example given there is no shared secret just a push authentication code and the HTOP specifically mentions a hardware or software token device that independently calculate the hash code On the other hand the correct terminology is Push Authentication and NOT Push Notification. So there isn't any truly right answer herre. Some day I hope Comptia is audited. If they are marking people wrong for right answers there should be hell to pay. Who certifies the certifier?

Read the question carefully. Push notification is the service that sends messages to mobile devices, whereas HOTP is the authentication method. C is the choice.

https://blog.teamstack.com/all-about-2fa-what-is-otp-totp-and-hotp/ Hash-based One-time Password (HOTP) HOTP (hash-based one-time password) is an OTP based on events. Basically, HOTP comes with a token generation that’s only known to the server and the user. Since the OTP is sent to the user and founded on a hash algorithm, the OTP gets the name ‘hash-based one-time passwords.’

keyword: Receive a code Leans towards HOTP

If you do a simple cursory search on google, between HOTP and push notification, it becomes clear that push notification is the correct answer.

Given answer is correct , HOTP , Darill Gibson book, Page 104

I believe the supplied answer is correct, HOTP is a one time passcode where as a push is a notification on a device that a login has occured.

It sound like "C. Push Notification"? https://doubleoctopus.com/security-wiki/authentication/push-notification-authentication/