KT-IAS Multi-factor authentication (MFA)

An executive refuses hardware tokens but approves SMS codes for banking-style apps. Which risk should you document in the exception?

Multiple choice — select one answer

Answer choices

  1. a. SMS messages are always encrypted end-to-end, without security or identity team coordination per policy.
  2. b. Hardware tokens cannot be used on laptops, without security or identity team coordination per policy.
  3. c. MFA fatigue only affects push notifications, without security or identity team coordination per policy.
  4. d. SIM-swap and SS7 attacks can bypass SMS OTP without attacking the application directly

Architectural breakdown & explanation

SMS OTP is better than nothing but is not phishing-resistant; SIM swap is a known bypass path.

Correct answer(s): d. SIM-swap and SS7 attacks can bypass SMS OTP without attacking the application directly

Exam domain: Multi-factor authentication (MFA) (20% weight on the official guide).

Official documentation & study links

Practice this certification

This page is one question from the KeyTrain's Key Training — Identity & Access Security bank. Run a full timed practice exam with domain-weighted random questions in your browser.