The best answer is A. Migrating to FIDO2 passkeys, utilizing built-in device biometrics for user authentication.
The company wants a single, integrated authentication solution that is both more secure and easier for employees to use. FIDO2 passkeys best match this requirement because they allow passwordless authentication using cryptographic credentials stored on the user’s device, often unlocked with biometrics or a local PIN.
This improves security and usability because:
users no longer need to manage a password plus a separate authenticator app
phishing resistance is stronger than traditional passwords and OTPs
authentication is integrated into the device experience
biometric unlock makes login smoother for users
Why the other options are incorrect:
B. Implementing SMS-based one-time passwords as the primary second factor for all loginsSMS is weaker than modern phishing-resistant methods and still does not solve the issue of streamlining authentication as well as passkeys.
C. Implementing SAML federation across authentication servers so employees can use SSO to access applicationsSSO improves convenience, but it does not by itself replace passwords with a more secure integrated authentication method. It solves access federation, not the core password-plus-authenticator problem.
D. Deploying a PKI system that requires all employees to use smart cards for login accessSmart cards can be secure, but they are less convenient and less seamless than device-based passkeys and biometrics for many organizations.
From a SY0-701 perspective, FIDO2 and passwordless authentication are strong modern controls that improve both security and user experience. Therefore, A is the best answer.
