An organization implements multi-factor authentication but configures it to require only username/password during business hours, with the second factor required only for after-hours access. What is the PRIMARY security weakness?

Home › MCQs › CISA › Question #6843

CISA QUESTION #6843

Question 1

Inconsistent user experience
Reduced security protection during the highest-risk period when most users are active✔️
Complicated configuration
Increased support costs

Correct Answer Explanation

Most attacks occur during business hours when users are active and system activity can blend with normal operations. Requiring MFA only after-hours protects the lower-risk period while leaving the higher-risk business hours protected by only single-factor authentication. The security is inverted from risk-based design.

More Options