While developing an application, MFA and password recovery were included as additional requirements to increase security by adding a second authentication and recovery mechanisms. What is considered a recommended practice in this context?

Answer options:

A.Use TOTP as a second factor and SMS as a password recovery mechanism which is disjoint from an authentication factor.
B.Enable MFA as Required immediately after creating a user pool to add another layer of security.
C.Disable adaptive authentication, so you can configure a second factor authentication in response to an increased risk level.
D.Use SMS as a second factor and TOTP along with a security key as the MFA device for your IAM and root users.