A security architect is designing an MFA policy for a critical system. The proposed authentication process requires users to enter their password, followed by a time-based one-time password (TOTP) from an authenticator app on their smartphone, and then a final code sent via SMS to the same smartphone. Which of the following statements BEST explains the security flaw in this proposed process?
SMS-based authentication is vulnerable to SIM-swapping attacks and is no longer considered a secure practice.
Requiring three authentication steps creates excessive user friction and negatively impacts productivity.
Time-based one-time passwords (TOTP) are a knowledge factor, not a possession factor.
The authenticator app and the SMS code both represent the same possession factor because they are tied to a single device.
True multifactor authentication (MFA) requires the use of at least two distinct authentication factors from the three categories: knowledge (something you know), possession (something you have), and inherence (something you are). In the described scenario, the password represents the knowledge factor. However, both the authenticator app and the SMS message are based on the same physical device-the smartphone. This means they both represent a single possession factor. If an attacker gains control of the smartphone, they can defeat both subsequent authentication steps, nullifying the intended security layering. Therefore, this implementation is a form of multi-step verification but does not provide true multifactor security.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why do authenticator apps and SMS codes represent the same possession factor in MFA?
Open an interactive chat with Bash
What are some examples of the three authentication factors in MFA?
Open an interactive chat with Bash
What are the risks of relying on SMS codes for authentication?