AWS Certified Developer – Associate — Question 381

A company is running a web application that is using Amazon Cognito for authentication. The company does not want to use multi-factor authentication (MFA) for all the visitors every time, but the company's security team has concerns about compromised credentials. The development team needs to configure mandatory
MFA only when suspicious sign-in attempts are detected.
Which Amazon Cognito feature will meet these requirements?

Answer options

• A. Short message service (SMS) text message MFA
• B. Advanced security metrics
• C. Time-based one-time password (TOTP) software token MFA
• D. Adaptive authentication

Correct answer: D

Explanation

Amazon Cognito's adaptive authentication is a component of advanced security features that analyzes sign-in attempts to detect unusual behavior, such as logins from new devices or locations, and prompts for MFA only when a risk is detected. Options A and C represent standard MFA delivery methods but do not provide risk-based triggering on their own. Option B provides visibility and logging of security events but does not actively enforce conditional MFA based on risk levels.