FCP Cheat Sheet 2026
The 30 highest-yield FCP facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
90 questions
160 min time limit
80.00% to pass
- What security advantage does FIDO provide over OTP-based two-factor authentication? → FIDO is not susceptible to real-time phishing interception of one-time codes
- In a DevSecOps pipeline for a FIDO relying party, which gate should block a merge if violated? → The server's challenge validation was removed to simplify the code
- What is the purpose of code review? → To identify bugs, improve code quality, and share knowledge among team members
- Why is FIDO authentication considered user-friendly? → It eliminates password fatigue
- Which stored credential field is compared byte-for-byte during the WebAuthn assertion verification process? → stored public key
- How does FIDO2 authentication protect against phishing attacks? → By binding credentials to the specific origin (relying party) they were registered with
- What cryptographic algorithm does RS256 refer to in FIDO2 COSE notation? → RSASSA-PKCS1-v1_5 with SHA-256
- In CTAP2 over NFC, what is the maximum data exchange unit size defined by the ISO 7816-4 APDU standard used for FIDO command framing? → 65535 bytes (extended APDUs)
- Which WebAuthn extension should a relying party request to learn whether a newly created credential is a discoverable (resident) credential? → credProps
- In terms of security assurance levels, which authenticator attachment modality generally provides the highest assurance against remote attacks? → Roaming authenticator with hardware-backed key storage (e.g., FIDO2 security key)
- Which FIDO2 data structure carries the AAGUID, credential ID, and public key together in a single attestation object field? → authData (authenticatorData)
- Which authentication method is primarily used in FIDO protocols? → Public-key cryptography
- What is the primary IAM benefit of replacing passwords with FIDO passkeys for enterprise employees? → Removing the password attack surface (phishing, credential stuffing, reuse)
- During FIDO2 registration, what does the relying party server do with the public key received in the attestation object? → Stores it associated with the user account for future assertion verification
- Which network protocol is used by CTAP2 when a FIDO2 authenticator connects via USB HID? → USB HID is a local bus protocol, not a network protocol — no IP layer is involved
- What should be included in an incident response plan? → Detection, containment, eradication, recovery, and lessons learned procedures
- What is the purpose of the OSI model? → To provide a standard framework for understanding network communications
- What is the role of the 'rpIdHash' in the authenticatorData structure during FIDO2 authentication? → It binds the assertion to the specific relying party, preventing cross-origin replay
- When implementing the FIDO2 authentication ceremony, what value does the server generate and send to the client as a security measure? → A cryptographic challenge (nonce)
- Which property of SHA-256 makes it suitable as the hash function for the clientDataHash in FIDO2, specifically protecting against second-preimage attacks? → One-wayness (preimage resistance) and second-preimage resistance
- What is the structure of the 'flags' byte in FIDO2 authenticatorData, and which bit indicates that user presence (UP) was verified? → An 8-bit bitmask; UP is bit 0 (LSB)
- Which of the following is NOT a standard attestation statement format defined in WebAuthn? → OAuth attestation
- Which transport indicator should a server include when registering a USB security key to indicate the communication channel? → transport: 'usb'
- In a FIDO2 relying party database, what is the correct data type to use for storing a credential's public key? → BLOB or BYTEA (binary large object)
- Which WebAuthn API method is called on the client side to begin a FIDO2 authentication (assertion) ceremony? → navigator.credentials.get()
- If a user dismisses or cancels a WebAuthn dialog, what DOMException name does the Promise reject with? → NotAllowedError
- Where are private keys stored when using a platform authenticator such as Windows Hello or Apple Face ID? → In the operating system's secure enclave or TPM
- Which FIDO2 client-side JavaScript API method initiates the credential creation ceremony? → navigator.credentials.create()
- In FIDO2 database design, storing the 'transports' array alongside a credential is useful because: → It allows the RP to suggest the correct authenticator during future authentication
- What is the CIA triad in information security? → Confidentiality, Integrity, and Availability
Turn these facts into recall: