Does it look bad if I couldn't answer this question in an interview for a security engineering role?

During an interview for a security engineering position, the candidate was unable to correctly answer a question about the risks of a web application without SSO (Single Sign-On). The candidate mentioned weak authentication and emphasized the need for MFA (Multi-Factor Authentication) and good account and password lockout policies. After the interview, the candidate discovered that the expected answer involved phishing and fake login pages.