A company has experienced several credential-stuffing attacks that reuse employees' leaked passwords. The security team wants an additional safeguard so that, even when a valid password is entered, access is granted only after the user proves physical possession of a trusted device. Which solution satisfies this requirement?
Automatically lock the account after five failed login attempts
Require a time-based one-time passcode generated by an authenticator app
Enforce passwords of at least 20 characters with symbols
Add knowledge-based security questions about personal history
Generating a time-based one-time passcode (TOTP) from an authenticator app provides a second authentication factor based on possession. An attacker who learns the password still cannot log in without the device that generates the 30-second code. A longer password and knowledge-based questions are still single-factor (something you know), and a lockout policy only slows brute-force attempts; none of those add a separate factor.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a second factor in two-factor authentication?
Open an interactive chat with Bash
What are examples of device-based solutions for additional security?
Open an interactive chat with Bash
How does a device-generated code protect against password theft?