Before modifying any authentication credential (such as a password reset or token provisioning), what action must be performed?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the PCI Data Security Standard Exam. Master your knowledge with interactive flashcards and multiple-choice questions, each with hints and explanations. Prepare confidently for your certification test!

Multiple Choice

Before modifying any authentication credential (such as a password reset or token provisioning), what action must be performed?

Explanation:
Verifying the user’s identity before any change to a credential is needed to stop unauthorized attempts from being able to alter passwords or tokens. If you modify a credential without confirming who is making the request, an attacker could hijack an account and lock the real owner out. Proactive identity verification—using methods like MFA, codes sent to trusted channels, or other proven checks—ensures the request comes from the legitimate user and prevents credential-based abuse. Why the other approaches don’t work: checking identity after the modification means the attacker has already gained access or control, which defeats the purpose of the security check. Verifying only during routine rotation but not before changes leaves a window where a malicious request could proceed unchecked. Modifying the credential and then confirming with the user relies on a reactive step that may come too late or be delayed, allowing unauthorized access to occur.

Verifying the user’s identity before any change to a credential is needed to stop unauthorized attempts from being able to alter passwords or tokens. If you modify a credential without confirming who is making the request, an attacker could hijack an account and lock the real owner out. Proactive identity verification—using methods like MFA, codes sent to trusted channels, or other proven checks—ensures the request comes from the legitimate user and prevents credential-based abuse.

Why the other approaches don’t work: checking identity after the modification means the attacker has already gained access or control, which defeats the purpose of the security check. Verifying only during routine rotation but not before changes leaves a window where a malicious request could proceed unchecked. Modifying the credential and then confirming with the user relies on a reactive step that may come too late or be delayed, allowing unauthorized access to occur.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy