ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A security engineer must add multi-factor authentication (MFA) for employees who already sign in to an internal web application through a SAML 2.0 trust between the company's on-premises Active Directory and AWS. Management wants to avoid distributing hardware tokens, ensure that lost mobile devices can be disabled centrally, and keep administrative overhead low. Which solution best meets these requirements?
Create individual IAM users in AWS for each employee and enable a virtual MFA device such as Google Authenticator.
Integrate the on-premises Active Directory with AWS Directory Service AD Connector and enforce MFA in ADFS using an OTP mobile authenticator application.
Migrate authentication to Amazon Cognito User Pools and require SMS-based MFA for all users, creating new credentials within Cognito.
Modify the application to prompt for a second, independent password stored in a separate database table after SAML authentication completes.
Reusing the existing on-premises Active Directory and its Active Directory Federation Services (ADFS) keeps user identities in one place and lets administrators revoke access centrally through normal account management processes. By adding an MFA requirement in ADFS-such as an OATH-compliant phone application like Microsoft Authenticator-employees receive a second authentication factor without issuing physical tokens. AD Connector simply passes the credentials through to AD, so no additional AWS account management is needed. Creating separate IAM users with virtual MFA or separate Amazon Cognito identities would duplicate credentials and raise operational effort, while asking users to enter a second password provides no true second factor and remains single-factor authentication.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SAML 2.0 and how does it help with authentication?
Open an interactive chat with Bash
What is ADFS and how does it enforce MFA?
Open an interactive chat with Bash
Why is AD Connector preferred over creating individual IAM users in this scenario?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .