UnixTime

Research Note

Authentication Information Handling Standard

Use this to define how passwords, PINs, recovery answers, MFA tokens, biometric authentication data, privileged credentials, and service secrets are issued, handled, reset, and...

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this to define how passwords, PINs, recovery answers, MFA tokens, biometric authentication data, privileged credentials, and service secrets are issued, handled, reset, and protected.

Standard rules

Area Requirement Evidence
Identity verification Verify user before issuing or resetting credentials Verification record
Initial credentials Use temporary credentials and force change on first use System setting/log
Default credentials Change vendor/default credentials before production use Build checklist
User responsibilities Users must keep authentication information confidential Acknowledgement/training
Password quality Enforce length, blocked common passwords, and policy requirements where possible Technical settings
MFA Apply MFA where risk or policy requires it MFA configuration
Reset process Verify identity and log reset activity Service desk log
Urgent reset Apply additional follow-up review Reset review record
Privileged credentials Store in approved vault or equivalent control Vault logs
Service secrets Store, rotate, and restrict access Secrets register/log

User acknowledgement checklist

  • I will not share passwords, PINs, MFA codes, tokens, recovery answers, or other secret authentication information.
  • I will not write or store authentication information where unauthorized people can access it.
  • I will report suspected compromise immediately.
  • I understand activity performed with my credentials may be attributable to me.
  • I will follow approved reset and recovery procedures.
  • Template
  • Iso27001
  • A5 17
  • Authentication

Note Metadata

Aliases: Credential Handling Standard, Password Handling Standard

Source: 90 Templates/Authentication Information Handling Standard.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.