nerdexam
(ISC)2

CISSP · Question #1308

An information security professional is reviewing user access controls on a customer-facing application. The application must have multi-factor authentication (MFA) in place. The application currently

The correct answer is D. Enter an automatically generated number from a hardware token. MFA requires combining two or more distinct authentication factors: something you know, something you have, or something you are. The existing username/password satisfies 'something you know,' so a second distinct factor must be added.

Submitted by dimitri_ru· Mar 5, 2026Identity and Access Management

Question

An information security professional is reviewing user access controls on a customer-facing application. The application must have multi-factor authentication (MFA) in place. The application currently requires a username and password to login. Which of the following options would BEST implement MFA?

Options

  • AGeolocate the user and compare to previous logins
  • BRequire a pre-selected number as part of the login
  • CHave the user answer a secret question that is known to them
  • DEnter an automatically generated number from a hardware token

How the community answered

(24 responses)
  • A
    8% (2)
  • B
    13% (3)
  • C
    4% (1)
  • D
    75% (18)

Why each option

MFA requires combining two or more distinct authentication factors: something you know, something you have, or something you are. The existing username/password satisfies 'something you know,' so a second distinct factor must be added.

AGeolocate the user and compare to previous logins

Geolocation is a contextual risk signal used in adaptive authentication, not a recognized MFA factor category (know/have/are), so it does not constitute a second authentication factor.

BRequire a pre-selected number as part of the login

A pre-selected number is static information the user knows in advance, making it equivalent to a second password and still within the single 'something you know' factor category, which does not satisfy MFA.

CHave the user answer a secret question that is known to them

A secret question is also 'something you know,' meaning it remains within the same single factor category as the existing password and therefore does not fulfill the multi-factor requirement of using distinct factor types.

DEnter an automatically generated number from a hardware tokenCorrect

A hardware token generates a time-based or event-based one-time password (OTP), which represents the 'something you have' factor - a physical device in the user's possession. Combined with the existing username and password ('something you know'), this satisfies the MFA requirement of using two distinct authentication factor categories, making it a true and robust MFA implementation.

Concept tested: Multi-factor authentication factor categories

Source: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks

Topics

#multi-factor authentication (MFA)#authentication methods#hardware token

Community Discussion

No community discussion yet for this question.

Full CISSP Practice