Question #1082
A company is developing a mobile application that requires users to authenticate using multi-factor authentication (MFA). Which two actions should be taken to implement this securely using AWS services?
Configure an Amazon Cognito user pool and enable MFA within its settings.
Develop a custom solution using Amazon SNS to send MFA tokens via SMS.
Enable TOTP-based MFA for the Amazon Cognito user pool.
Enforce MFA by attaching IAM policies to application end-users.
Use AWS KMS to encrypt MFA secrets stored in the application database.
Explanation
A. Configuring an Amazon Cognito user pool with MFA is the foundational step, as Cognito is AWS's managed service for user authentication. Enabling MFA here ensures built-in security without custom code.
C. TOTP (Time-Based One-Time Password) is more secure than SMS-based MFA, as it avoids risks like SIM-swapping. Cognito supports TOTP via authenticator apps (e.g., Google Authenticator).
Why others are incorrect:
B: Building a custom SMS solution with SNS is unnecessary and less secure than using Cognito's built-in MFA.
D: IAM policies apply to AWS users, not application end-users.
E: AWS KMS encryption is redundant if using Cognito, which securely manages MFA secrets.
Answer
The correct answer is: AC