Certified Information Systems Security Professional (CISSP) — Question 402

An information security professional is reviewing user access controls on a customer-facing application. The application must have multi-factor authentication
(MFA) in place. The application currently requires a username and password to login. Which of the following options would BEST implement MFA?

Answer options

• A. Geolocate the user and compare to previous logins
• B. Require a pre-selected number as part of the login
• C. Have the user answer a secret question that is known to them
• D. Enter an automatically generated number from a hardware token

Correct answer: D

Explanation

The correct answer is D because using an automatically generated number from a hardware token is a strong form of MFA, as it requires something the user has in addition to their password. The other options, while they may add an extra layer of security, do not meet the standard for multi-factor authentication since they rely on knowledge-based factors rather than possession-based factors.