A company IT security policy mandates multifactor authentication to access corporate email on mobile devices. An employee who has just been issued a new company phone must configure this access. The phone is already set up to receive a one-time SMS code during sign-in. Which of the following would be the BEST option to satisfy the policy's requirement for a second, distinct authentication factor?
Add multiple email addresses as a recovery option for the corporate email account.
Set up a secure folder within the device where corporate emails can be stored separately from personal data.
Configure a biometric scan, such as fingerprint or facial recognition, to be required upon accessing the corporate email application.
Instruct the employee to set a complex passcode that must be entered to unlock the device before accessing the email application.
A biometric scan (fingerprint or facial recognition) is an inherence factor-"something the user is"-and therefore different from the SMS one-time code, which is a possession factor-"something the user has". Using two different categories of factors provides true MFA and, in most environments, biometrics are considered stronger and more phishing-resistant than a knowledge factor such as a passcode.
While a complex device passcode is also a valid knowledge factor, it does not offer the same level of resistance to phishing or shoulder-surfing attacks as biometrics. Placing email in a secure folder does not add an authentication factor, and adding recovery email addresses is an account-recovery step, not authentication.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the different types of multifactor authentication methods?
Open an interactive chat with Bash
Why is biometric authentication considered strong?
Open an interactive chat with Bash
How does two-factor authentication enhance security compared to just using a password?