CompTIA Security+ (SY0-501) — Question 940

Company XYZ has decided to make use of a cloud-based service that requires mutual, certificate- based authentication with its users. The company uses SSL- inspecting IDS at its network boundary and is concerned about the confidentiality of the mutual authentication.
Which of the following model prevents the IDS from capturing credentials used to authenticate users to the new service or keys to decrypt that communication?

Answer options

• A. Use of OATH between the user and the service and attestation from the company domain
• B. Use of active directory federation between the company and the cloud-based service
• C. Use of smartcards that store x.509 keys, signed by a global CA
• D. Use of a third-party, SAML-based authentication service for attestation

Correct answer: B

Explanation

The correct answer is B because active directory federation allows for secure, token-based authentication without exposing credentials to an IDS. Options A, C, and D do not adequately prevent the IDS from capturing sensitive authentication information, making them less effective in maintaining confidentiality during the mutual authentication process.