CompTIA CySA+ (CS0-002) — Question 286

A security analyst is revising a company's MFA policy to prohibit the use of short message service (SMS) tokens. The Chief Information Officer has questioned this decision and asked for justification. Which of the following should the analyst provide as justification for the new policy?

Answer options

• A. SMS relies on untrusted, third-party carrier networks.
• B. SMS tokens are limited to eight numerical characters.
• C. SMS is not supported on all handheld devices in use.
• D. SMS is a cleartext protocol and does not support encryption.

Correct answer: D

Explanation

The correct answer is D because SMS is indeed a cleartext protocol, meaning that messages can be intercepted and read by unauthorized parties, compromising security. While option A raises valid concerns about carrier reliability, it does not specifically address the security flaws of SMS. Options B and C are incorrect since they do not accurately reflect the primary security issue with using SMS tokens.