An executive refuses hardware tokens but approves SMS codes for banking-style apps. Which risk should you document in the exception?
Multiple choice — select one answer
Answer choices
Architectural breakdown & explanation
SMS OTP is better than nothing but is not phishing-resistant; SIM swap is a known bypass path.
Correct answer(s): d. SIM-swap and SS7 attacks can bypass SMS OTP without attacking the application directly
Exam domain: Multi-factor authentication (MFA) (20% weight on the official guide).
Official documentation & study links
Practice this certification
This page is one question from the KeyTrain's Key Training — Identity & Access Security bank. Run a full timed practice exam with domain-weighted random questions in your browser.