Exam SY0-601 topic 1 question 45 discussion

Enforce MFA is the most convenient way

Answer: Enforce MFA when an account request reaches a risk threshold. This is likely the most convenient implementation that would work for all employees as an additional element(s) would need to be needed for authentication/authorization. ======================== (B) - Implementing geofencing to only allow access from headquarters might stop the suspicious logins, however, it would be inconvenient for employees not physically located near headquarters such as the traveling employees. (C) Enforcing time-based login requests to align with business hours could also be inconvenient for traveling/global employees that work in different times compared the business's normal business hours. (D) With Discretionary access control, the owner of a resource can decide who can have access to the resource and you can modify the access at anytime. The option to shift the access control scheme to a discretionary access control wouldn't really address the login issue either if the account of someone who is authorized to access a resource was compromised. The attacker can still access the resource using their credentials.

A is the correct answer, however, any security admin worth their salt would have it enforced already..it is a no brainer...why wait for a damn threshold.

Enforcing Multi-Factor Authentication (MFA) when an account request reaches a risk threshold is an appropriate security control in this scenario. MFA adds an extra layer of security by requiring users to provide additional authentication factors, such as a one-time code sent to their mobile device, in addition to their password. By setting a risk threshold and triggering MFA when suspicious logins from unrecognized locations are detected, the company can protect corporate accounts without unnecessarily blocking legitimate login requests made from new sign-in locations during employee travel.

Implementing MFA adds an extra layer of security to the authentication process by requiring users to provide multiple forms of verification, such as a password and a one-time code generated on their mobile device or a biometric factor like a fingerprint. By setting a risk threshold, such as detecting suspicious login activity from unrecognized locations, the system can automatically trigger the enforcement of MFA. This helps to mitigate the risk of unauthorized access even if the credentials have been compromised.

A. Enforce MFA when an account request reaches a risk threshold. Multi-Factor Authentication (MFA) is an effective security control to mitigate the risk of unauthorized access to corporate accounts. By requiring an additional factor of authentication, such as a one-time code sent to a user's phone or a fingerprint scan, MFA can help prevent attackers from accessing an account even if they have stolen a password. By implementing MFA only when an account request reaches a risk threshold, the company can ensure that employees who travel and need their accounts protected will not be negatively impacted by the security control, while still providing an extra layer of security for those accounts that are at higher risk of being compromised.

MFA increases security because even if one credential becomes compromised, unauthorized users will be unable to meet the second authentication requirement and will not be able to access the targeted physical space, computing device, network, or database.