CISSP · Question #1308
An information security professional is reviewing user access controls on a customer-facing application. The application must have multi-factor authentication (MFA) in place. The application currently
The correct answer is D. Enter an automatically generated number from a hardware token. MFA requires combining two or more distinct authentication factors: something you know, something you have, or something you are. The existing username/password satisfies 'something you know,' so a second distinct factor must be added.
Question
Options
- AGeolocate the user and compare to previous logins
- BRequire a pre-selected number as part of the login
- CHave the user answer a secret question that is known to them
- DEnter an automatically generated number from a hardware token
How the community answered
(24 responses)- A8% (2)
- B13% (3)
- C4% (1)
- D75% (18)
Why each option
MFA requires combining two or more distinct authentication factors: something you know, something you have, or something you are. The existing username/password satisfies 'something you know,' so a second distinct factor must be added.
Geolocation is a contextual risk signal used in adaptive authentication, not a recognized MFA factor category (know/have/are), so it does not constitute a second authentication factor.
A pre-selected number is static information the user knows in advance, making it equivalent to a second password and still within the single 'something you know' factor category, which does not satisfy MFA.
A secret question is also 'something you know,' meaning it remains within the same single factor category as the existing password and therefore does not fulfill the multi-factor requirement of using distinct factor types.
A hardware token generates a time-based or event-based one-time password (OTP), which represents the 'something you have' factor - a physical device in the user's possession. Combined with the existing username and password ('something you know'), this satisfies the MFA requirement of using two distinct authentication factor categories, making it a true and robust MFA implementation.
Concept tested: Multi-factor authentication factor categories
Source: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks
Topics
Community Discussion
No community discussion yet for this question.