FCP Cheat Sheet 2026

The 30 highest-yield FCP facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

90 questions
160 min time limit
80.00% to pass
  1. What security advantage does FIDO provide over OTP-based two-factor authentication? FIDO is not susceptible to real-time phishing interception of one-time codes
  2. In a DevSecOps pipeline for a FIDO relying party, which gate should block a merge if violated? The server's challenge validation was removed to simplify the code
  3. What is the purpose of code review? To identify bugs, improve code quality, and share knowledge among team members
  4. Why is FIDO authentication considered user-friendly? It eliminates password fatigue
  5. Which stored credential field is compared byte-for-byte during the WebAuthn assertion verification process? stored public key
  6. How does FIDO2 authentication protect against phishing attacks? By binding credentials to the specific origin (relying party) they were registered with
  7. What cryptographic algorithm does RS256 refer to in FIDO2 COSE notation? RSASSA-PKCS1-v1_5 with SHA-256
  8. In CTAP2 over NFC, what is the maximum data exchange unit size defined by the ISO 7816-4 APDU standard used for FIDO command framing? 65535 bytes (extended APDUs)
  9. Which WebAuthn extension should a relying party request to learn whether a newly created credential is a discoverable (resident) credential? credProps
  10. In terms of security assurance levels, which authenticator attachment modality generally provides the highest assurance against remote attacks? Roaming authenticator with hardware-backed key storage (e.g., FIDO2 security key)
  11. Which FIDO2 data structure carries the AAGUID, credential ID, and public key together in a single attestation object field? authData (authenticatorData)
  12. Which authentication method is primarily used in FIDO protocols? Public-key cryptography
  13. What is the primary IAM benefit of replacing passwords with FIDO passkeys for enterprise employees? Removing the password attack surface (phishing, credential stuffing, reuse)
  14. During FIDO2 registration, what does the relying party server do with the public key received in the attestation object? Stores it associated with the user account for future assertion verification
  15. Which network protocol is used by CTAP2 when a FIDO2 authenticator connects via USB HID? USB HID is a local bus protocol, not a network protocol — no IP layer is involved
  16. What should be included in an incident response plan? Detection, containment, eradication, recovery, and lessons learned procedures
  17. What is the purpose of the OSI model? To provide a standard framework for understanding network communications
  18. What is the role of the 'rpIdHash' in the authenticatorData structure during FIDO2 authentication? It binds the assertion to the specific relying party, preventing cross-origin replay
  19. When implementing the FIDO2 authentication ceremony, what value does the server generate and send to the client as a security measure? A cryptographic challenge (nonce)
  20. Which property of SHA-256 makes it suitable as the hash function for the clientDataHash in FIDO2, specifically protecting against second-preimage attacks? One-wayness (preimage resistance) and second-preimage resistance
  21. What is the structure of the 'flags' byte in FIDO2 authenticatorData, and which bit indicates that user presence (UP) was verified? An 8-bit bitmask; UP is bit 0 (LSB)
  22. Which of the following is NOT a standard attestation statement format defined in WebAuthn? OAuth attestation
  23. Which transport indicator should a server include when registering a USB security key to indicate the communication channel? transport: 'usb'
  24. In a FIDO2 relying party database, what is the correct data type to use for storing a credential's public key? BLOB or BYTEA (binary large object)
  25. Which WebAuthn API method is called on the client side to begin a FIDO2 authentication (assertion) ceremony? navigator.credentials.get()
  26. If a user dismisses or cancels a WebAuthn dialog, what DOMException name does the Promise reject with? NotAllowedError
  27. Where are private keys stored when using a platform authenticator such as Windows Hello or Apple Face ID? In the operating system's secure enclave or TPM
  28. Which FIDO2 client-side JavaScript API method initiates the credential creation ceremony? navigator.credentials.create()
  29. In FIDO2 database design, storing the 'transports' array alongside a credential is useful because: It allows the RP to suggest the correct authenticator during future authentication
  30. What is the CIA triad in information security? Confidentiality, Integrity, and Availability
Turn these facts into recall: