A financial services company is redesigning its authentication system for customer-facing applications. The security architect is evaluating two proposals:
Proposal 1: A complex multi-layered solution integrating five different authentication mechanisms (passwords, biometrics, SMS one-time passwords, knowledge-based questions, and hardware tokens) with custom middleware to handle varying authentication paths.
Proposal 2: A streamlined two-factor authentication solution using passwords and push notifications to mobile devices, with standard API integration points.
From a security design perspective, which proposal better adheres to secure design principles?
Proposal 1, because it accounts for more authentication factors and therefore provides stronger security
Proposal 2, because two-factor authentication is the industry standard for financial applications
Proposal 1, because it implements more layers of security controls for defense in depth
Proposal 2, because simpler systems with fewer components are easier to secure, validate, and maintain
Proposal 2 adheres to the "Keep it simple and small" security principle, which states that security mechanisms should be as simple as possible while still meeting requirements. Complex systems (like Proposal 1) create more potential attack vectors, are harder to thoroughly test, more difficult to maintain, and increase the likelihood of configuration errors. The complex multi-layered system with custom middleware introduces numerous integration points that must be secured and maintained.
Simpler designs are easier to analyze for security weaknesses, implement correctly, test thoroughly, and maintain over time. The streamlined two-factor approach in Proposal 2 provides strong authentication with fewer components that could potentially fail or be exploited. This makes it easier to ensure the security controls are implemented correctly and consistently.
While defense in depth is valuable, unnecessary complexity often creates more security problems than it solves. A focused, simple, and well-implemented security control is generally more effective than a complex solution with many moving parts.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the advantages of using two-factor authentication (2FA)?
Open an interactive chat with Bash
What is meant by 'defense in depth' in security design?
Open an interactive chat with Bash
What are some potential risks associated with a complex authentication system?
Open an interactive chat with Bash
ISC2 CISSP
Security Architecture and Engineering
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access