CompTIA CASP+ (CAS-004) — Question 455

A security architect is making recommendations for a new system that will be built to store and exchange health records. The application will be a single-page application that calls server-side, web-based API endpoints. Due to compliance implications, the system must meet the following security requirements:

• Resistance to session takeover attacks
• Able to revoke access if a system compromise is suspected
• Able to authenticate the user by employing best practices

Which of the following should the architect do to best meet the requirements?

Answer options

• A. Implement OpenID Connect with granular scopes for data access.
• B. Leverage OAuth with the implicit Grant type.
• C. Configure role-based access control using LDAP.
• D. Utilize Kerberos to implement role-based access control.
• E. Use the Extensible Authentication Protocol.

Correct answer: A

Explanation

The correct answer is A, as OpenID Connect allows for secure user authentication and supports granular scopes, which helps meet the requirements for session takeover resistance and revocation capabilities. Options B and E do not provide the same level of security and flexibility, while C and D are focused on access control rather than authentication and session management.