FinanceX, a well-known financial institution, uses an online banking platform that enables clients to easily and securely access their bank accounts. To log in, clients are required to enter the one-time authorization code sent to their smartphone. What can be concluded from this scenario?
The answer here is A A. FinanceX has implemented a security control that ensures the confidentiality of information Technical control - Secure authentication (8.5) is a preventative control with Information security properties of #Confidentiality, #Integrity & #Availability Purpose to ensure a user or entity is securely authenticated when access to systems, applications and services is granted. B. FinanceX has implemented an integrity control that avoids the involuntary corruption of data Authentication has nothing to do with integrity of data C. FinanceX has incorrectly implemented a security control that could become a vulnerability The question makes no mention of incorrect implementation and so this is not the answer
I am sorry but I do not agree with the proposed answer. Question does not mention there is another method of authentication, only a message delivered to the phone. Therefore, a bad actor with possession of the smartphone would be able to log into the account. This is a single method of authentication, just as weak as only using user and password. Additionally, it does not mention how the message is delivered to the smartphone. SIM cloning is a known attack against SMS OTPs, therefore I propose C to be the right answer.
The Answer is A, it is a security control. and there are no further instructions regarding any prospective incidence. So We need to limit our response of choice to the question scope. not what we think might happen.
Couldn't be option A because there is no mention of a password or any other factor being used before the OTP. Using OTP alone (without password) = single-factor authentication, not 2FA OTPs are usually delivered via something you have (e.g., a phone or SIM card). If there’s no password or biometric step (something you know or something you are), it's a weaker authentication scheme. OTPs over SMS can be intercepted (e.g., via SIM swapping or malware). So the answer would be option C.