Maximum unauthorized access would be possible if a password is disclosed.

A major concern with Single Sign-On (SSO) is that if a user's ID and
password are compromised, the intruder would have access to all the systems that the
user was authorized for.
The following answers are incorrect:
The security administrator's workload would increase. Is incorrect because the security
administrator's workload would decrease and not increase. The admin would not be
responsible for maintaining multiple user accounts just the one.
The users' password would be too hard to remember. Is incorrect because the users would
have less passwords to remember.User access rights would be increased. Is incorrect because the user access rights would
not be any different than if they had to log into systems manually

 the CER is used.

equal error rate or crossover error rate (EER or CER): the rate at which both
accept and reject errors are equal. The value of the EER can be easily obtained from the
ROC curve. The EER is a quick way to compare the accuracy of devices with different
ROC curves. In general, the device with the lowest EER is most accurate.
In the context of Biometric Authentication almost all types of detection permit a system's
sensitivity to be increased or decreased during an inspection process. If the system's
sensitivity is increased, such as in an airport metal detector, the system becomes
increasingly selective and has a higher False Reject Rate (FRR).
Conversely, if the sensitivity is decreased, the False Acceptance Rate (FAR) will increase.
Thus, to have a valid measure of the system performance, the CrossOver Error Rate
(CER) is used. The following are used as performance metrics for biometric systems:
false accept rate or false match rate (FAR or FMR): the probability that the system
incorrectly matches the input pattern to a non-matching template in the database. It
measures the percent of invalid inputs which are incorrectly accepted. In case of similarity
scale, if the person is imposter in real, but the matching score is higher than the threshold,
then he is treated as genuine that increase the FAR and hence performance also depends
upon the selection of threshold value.
false reject rate or false non-match rate (FRR or FNMR): the probability that the system
fails to detect a match between the input pattern and a matching template in the database.
It measures the percent of valid inputs which are incorrectly rejected. failure to enroll rate (FTE or FER): the rate at which attempts to create a template from an
input is unsuccessful. This is most commonly caused by low quality inputs.
failure to capture rate (FTC): Within automatic systems, the probability that the system fails to detect a biometric input when presented correctly.
template capacity: the maximum number of sets of data which can be stored in the system.
Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 37.
and
Wikipedia at: https://en.wikipedia.org/wiki/Biometrics

Authentication

Authentication is verification that the user's claimed identity is valid and is
usually implemented through a user password at log-on time.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.

Authentication server as well as support for Static and Dynamic passwords.

A Network Access Server (NAS) operates as a client of RADIUS. The client
is responsible for passing user information to
designated RADIUS servers, and then acting on the response which is returned.
RADIUS servers are responsible for receiving user connection requests, authenticating the
user, and then returning all
configuration information necessary for the client to deliver service to the user.
RADIUS authentication is based on provisions of simple username/password credentials.
These credentials are encrypted
by the client using a shared secret between the client and the RADIUS server. OIG 2007,
Page 513 RADIUS incorporates an authentication server and can make uses of both dynamic and
static passwords.
Since it uses the PAP and CHAP protocols, it also incluses static passwords.
RADIUS is an Internet protocol. RADIUS carries authentication, authorization, and
configuration information between a Network Access Server and a shared Authentication
Server. RADIUS features and functions are described primarily in the IETF (International
Engineering Task Force) document RFC2138.
The term " RADIUS" is an acronym which stands for Remote Authentication Dial In User
Service The main advantage to using a RADIUS approach to authentication is that it can provide a
stronger form of authentication. RADIUS is capable of using a strong, two-factor form of
authentication, in which users need to possess both a user ID and a hardware or software
token to gain access.
Token-based schemes use dynamic passwords. Every minute or so, the token generates a
unique 4-, 6- or 8-digit access number that is synchronized with the security server. To gain
entry into the system, the user must generate both this one-time number and provide his or
her user ID and password.
Although protocols such as RADIUS cannot protect against theft of an authenticated
session via some realtime attacks, such as wiretapping, using unique, unpredictable
authentication requests can protect against a wide range of active attacks.                                                       RADIUS: Key Features and Benefits
Features Benefits
RADIUS supports dynamic passwords and challenge/response passwords.
Improved system security due to the fact that passwords are not static.
It is much more difficult for a bogus host to spoof users into giving up their passwords or
password-generation algorithms.
RADIUS allows the user to have a single user ID and password for all computers in a
network.
Improved usability due to the fact that the user has to remember only one login
combination. RADIUS is able to:
Prevent RADIUS users from logging in via login (or ftp).
Require them to log in via login (or ftp)
Require them to login to a specific network access server (NAS);
Control access by time of day.
Provides very granular control over the types of logins allowed, on a per-user basis.
The time-out interval for failing over from an unresponsive primary RADIUS server to a
backup RADIUS server is site-configurable.
RADIUS gives System Administrator more flexibility in managing which users can login
from which hosts or devices. Stratus Technology Product Brief
http://www.stratus.com/products/vos/openvos/radius.htm
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 43, 44.
Also check: MILLER, Lawrence & GREGORY, Peter, CISSP for Dummies, 2002, Wiley
Publishing, Inc., pages 45-46.

Identification

Identification is the act of a user professing an identity to a system, usually in
the form of a log-on ID to the system.
Identification is nothing more than claiming you are somebody. You identify yourself when
you speak to someone on the phone that you don’t know, and they ask you who they’re
speaking to. When you say, “I’m Jason.”, you’ve just identified yourself.
In the information security world, this is analogous to entering a username. It’s not
analogous to entering a password. Entering a password is a method for verifying that you
are who you identified yourself as.
NOTE: The word "professing" used above means: "to say that you are, do, or feel
something when other people doubt what you say". This is exactly what happen when you
provide your identifier (identification), you claim to be someone but the system cannot take
your word for it, you must further Authenticate to the system to prove who you claim to be.                     The following are incorrect answers:
Authentication: is how one proves that they are who they say they are. When you claim to
be Jane Smith by logging into a computer system as “jsmith”, it’s most likely going to ask
you for a password. You’ve claimed to be that person by entering the name into the
username field (that’s the identification part), but now you have to prove that you are really
that person.
Many systems use a password for this, which is based on “something you know”, i.e. a
secret between you and the system.
Another form of authentication is presenting something you have, such as a driver’s license, an RSA token, or a smart card.
You can also authenticate via something you are. This is the foundation for biometrics.
When you do this, you first identify yourself and then submit a thumb print, a retina scan, or
another form of bio-based authentication.
Once you’ve successfully authenticated, you have now done two things: you’ve claimed to
be someone, and you’ve proven that you are that person. The only thing that’s left is for the
system to determine what you’re allowed to do.
Authorization: is what takes place after a person has been both identified and
authenticated; it’s the step determines what a person can then do on the system.
An example in people terms would be someone knocking on your door at night. You say,
“Who is it?”, and wait for a response. They say, “It’s John.” in order to identify themselves.
You ask them to back up into the light so you can see them through the peephole. They do
so, and you authenticate them based on what they look like (biometric). At that point you decide they can come inside the house.
If they had said they were someone you didn’t want in your house (identification), and you
then verified that it was that person (authentication), the authorization phase would not
include access to the inside of the house.
Confidentiality: Is one part of the CIA triad. It prevents sensitive information from reaching
the wrong people, while making sure that the right people can in fact get it. A good example
is a credit card number while shopping online, the merchant needs it to clear the
transaction but you do not want your informaiton exposed over the network, you would use
a secure link such as SSL, TLS, or some tunneling tool to protect the information from
prying eyes between point A and point B. Data encryption is a common method of ensuring
confidentiality.
The other parts of the CIA triad are listed below: Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over
its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure
that data cannot be altered by unauthorized people (for example, in a breach of
confidentiality). In addition, some means must be in place to detect any changes in data
that might occur as a result of non-human-caused events such as an electromagnetic pulse
(EMP) or server crash. If an unexpected change occurs, a backup copy must be available
to restore the affected data to its correct state.  Availability is best ensured by rigorously maintaining all hardware, performing hardware
repairs immediately when needed, providing a certain measure of redundancy and failover,
providing adequate communications bandwidth and preventing the occurrence of
bottlenecks, implementing emergency backup power systems, keeping current with all
necessary system upgrades, and guarding against malicious actions such as denial-ofservice
(DoS) attacks. Reference used for this question:
http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
http://www.danielmiessler.com/blog/security-identification-authentication-and-authorization
http://www.merriam-webster.com/dictionary/profess
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 36.

the value of information that is protected

The cost of access control must be commensurate with the value of the
information that is being protected.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 49.

Once an individual obtains access to the system through the initial log-on, they have
access to all resources within the environment that the account has access to.

.

Single Sign-On is a distrubuted Access Control methodology where an
individual only has to authenticate once and would have access to all primary and
secondary network domains. The individual would not be required to re-authenticate when
they needed additional resources. The security issue that this creates is if a fraudster is
able to compromise those credential they too would have access to all the resources that
account has access to.
All the other answers are incorrect as they are distractors.

Memory cards have no processing power

The main difference between memory cards and smart cards is their capacity
to process information. A memory card holds information but cannot process information. A
smart card holds information and has the necessary hardware and software to actually
process that information.
A memory card holds a user’s authentication information, so that this user needs only type
in a user ID or PIN and presents the memory card to the system. If the entered information and the stored information match and are approved by an authentication service, the user
is successfully authenticated.
A common example of a memory card is a swipe card used to provide entry to a building.
The user enters a PIN and swipes the memory card through a card reader. If this is the
correct combination, the reader flashes green and the individual can open the door and
enter the building.
Memory cards can also be used with computers, but they require a reader to process the
information. The reader adds cost to the process, especially when one is needed for every
computer. Additionally, the overhead of PIN and card generation adds additional overhead
and complexity to the whole authentication process. However, a memory card provides a
more secure authentication method than using only a password because the attacker
would need to obtain the card and know the correct PIN. Administrators and management need to weigh the costs and benefits of a memory card
implementation as well as the security needs of the organization to determine if it is the
right authentication mechanism for their environment.
One of the most prevalent weaknesses of memory cards is that data stored on the card are
not protected. Unencrypted data on the card (or stored on the magnetic strip) can be
extracted or copied. Unlike a smart card, where security controls and logic are embedded
in the integrated circuit, memory cards do not employ an inherent mechanism to protect the
data from exposure.
Very little trust can be associated with confidentiality and integrity of information on the
memory cards.
The following answers are incorrect: "Smart cards provide two-factor authentication whereas memory cards don't" is incorrect.
This is not necessarily true. A memory card can be combined with a pin or password to
offer two factors authentication where something you have and something you know are
used for factors.
"Memory cards normally hold more memory than smart cards" is incorrect. While a memory
card may or may not have more memory than a smart card, this is certainly not the best
answer to the question.
"Only smart cards can be used for ATM cards" is incorrect. This depends on the decisions
made by the particular institution and is not the best answer to the question. Reference(s) used for this question:
Shon Harris, CISSP All In One, 6th edition , Access Control, Page 199 and also for people
using the Kindle edition of the book you can look at Locations 4647-4650.
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Access Control ((ISC)2 Press) (Kindle Locations 2124-2139). Auerbach Publications.
Kindle Edition

depending on the criticality of the information needing protection and the password's
frequency of use

Passwords can be compromised and must be protected. In the ideal case, a
password should only be used once. The changing of passwords can also fall between
these two extremes. Passwords can be required to change monthly, quarterly, or at other
intervals, depending on the criticality of the information needing protection and the
password's frequency of use. Obviously, the more times a password is used, the more
chance there is of it being compromised.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36 & 37.

Mandatory access control

With mandatory access control (MAC), the authorization of a subject's
access to an object is dependant upon labels, which indicate the subject's clearance, and
classification of objects.
The Following answers were incorrect:
Identity-based Access Control is a type of Discretionary Access Control (DAC), they are
synonymous.
Role Based Access Control (RBAC) and Rule Based Access Control (RuBAC or RBAC)
are types of Non Discretionary Access Control (NDAC).
Tip:
When you have two answers that are synonymous they are not the right choice for sure.
There is only one access control model that makes use of Label, Clearances, and
Categories, it is Mandatory Access Control, none of the other one makes use of those
items.  Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control
systems (page 33).D