CISSP Question #1308: Real Exam Question with Answer & Explanation

Question

An information security professional is reviewing user access controls on a customer-facing application. The application must have multi-factor authentication (MFA) in place. The application currently requires a username and password to login. Which of the following options would BEST implement MFA?

Options

• AGeolocate the user and compare to previous logins
• BRequire a pre-selected number as part of the login
• CHave the user answer a secret question that is known to them
• DEnter an automatically generated number from a hardware token

Explanation

MFA requires combining two or more distinct authentication factors: something you know, something you have, or something you are. The existing username/password satisfies 'something you know,' so a second distinct factor must be added.

Common mistakes.

• A. Geolocation is a contextual risk signal used in adaptive authentication, not a recognized MFA factor category (know/have/are), so it does not constitute a second authentication factor.
• B. A pre-selected number is static information the user knows in advance, making it equivalent to a second password and still within the single 'something you know' factor category, which does not satisfy MFA.
• C. A secret question is also 'something you know,' meaning it remains within the same single factor category as the existing password and therefore does not fulfill the multi-factor requirement of using distinct factor types.

Concept tested. Multi-factor authentication factor categories

Reference. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks

No community discussion yet for this question.