What is the correct answer to this question. There are two different answers given for this question. One

What is the correct answer to this question. There are two different answers given for this question. One place said the correct answer is A. Enforce MFA when an account request reaches a nsk threshold while the other says B. Implement geofencing to only allow access from headquarters. Which is correct? Please explain.

Question:

A company suspects that some corporate accounts were compromised. The number of suspicious logins from locations not recognized by the users is increasing Employees who travel need their accounts protected without the nsk of blocking legitimate login requests that may be made over new sign-in properties. Which of the following security controls can be implemented?

A. Enforce MFA when an account request reaches a nsk threshold

B. Implement geofencing to only allow access from headquarters

C. Enforce time-based login requests that align with business hours

D. Shift the access control scheme to a discretionary access control