A company's executive team is worried that an attacker might log in to its cloud provider's web portal using a stolen administrator password. They want an additional safeguard but do not want to slow down legitimate administrators. Which control BEST meets these requirements?
Force administrators to change their passwords every 24 hours
Require multifactor authentication with time-based one-time codes
Use one shared SSH key pair for all administrator accounts
Restrict portal logins to a single internal source IP per user
Implementing multifactor authentication (MFA) that uses a time-based one-time password (TOTP) stops account takeover when a password is stolen, while adding only a brief code-entry step for administrators. Restricting logins to a specific source IP can reduce the attack surface but will not block an attacker who gains access from an allowed internal host or VPN. Forcing daily password changes contradicts modern NIST guidance and often results in predictable, weaker passwords. Sharing a single private SSH key among administrators removes individual accountability, and compromise of that key would grant access to every account.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is multifactor authentication (MFA)?
Open an interactive chat with Bash
How do time-based codes work in MFA?
Open an interactive chat with Bash
Why are shared public keys unsuitable for secure logins?