Use Strong User Authentication: Fillable template and example

Fillable template: Use strong user's authentication policy DOCX, 43 KB

Fillable templates provide instructions on the information required to be documented for certification.

Example: Use strong user's authentication policy DOCX, 99 KB

Examples provide sample text to help learners complete a template.

Insert organization name or letter head

Use strong user's authentication policy

Insert date

[disclaimer: Cybersecure Canada has developed this template for your use in relation to certification requirements for the use strong user authentication security control area. It provides guidance as to how information can be organized and documented for certification. Cybersecure Canada does not guarantee a successful certification from use of this template. Organizations are not obliged to use this template and may provide the certification requirement(s) in a documented format best suited for them.]

Template instructions

[instructions: the purpose of this template is to help users to meet the certification requirements for the use strong user authentication security control area for cybersecure Canada.

Instructions are provided in blue font within each section of this template. Upon completion of the template, delete these instructions.

It is recommended that users review the eLearning module for use strong user authentication and the completed example of this policy.]

Revision history

[instructions: it is a best practice for organizations to ensure their policies are reviewed and updated regularly. Document what changes are made, when, and by whom.]

The uses strong user's authentication policy has been modified as follows:





[date edited]

[document version]

[description of changes made]

[name of the editor]


Two-factor authentication

Authentication used to confirm the identity of a user by validating a combination of two different factors

User authentication

A process used to confirm the identity of a person attempting to access a system or device

User authorization

A process used to assign permissions to limit access to those who need it

Password manager

A software application that creates, stores, and recalls passwords


[instructions: insert your scope statement or use the example below if appropriate to your organization.]

This policy shall apply to the use of two-factor authentication and passwords at [organization name]. It applies to all employees, contractors, and affiliates of [organization name], and shall govern acceptable password use on all systems that connect to the organization's networks or accesses and/or stores its data.

Two-factor authentication

[instructions: insert your two-factor policy statement(s) and include applicable IT systems. If appropriate, you can use the provided example.]

Two-factor authentication will be used for following system:

  • Financial accounts
  • System administrators
  • Cloud administrators
  • Privileged users
  • Senior executives
  • All remote access

Password creation

[instructions: determine the required length and construction of a password. Longer passwords, or passphrases, are encouraged.

Insert your password creation statement(s). Alternatively, you can use the provided example.]

  • All passwords must be at least [x] characters long
  • Default passwords must be changed when software and devices are installed
  • Administrator and other high value accounts must be [x or greater] characters long
  • The same passwords are not to be used for multiple accounts (for example, work email and server login)

Password management

[instructions: decide whether or not to use password management software and create a policy on its use.

Determine if and when passwords can be physically written down and stored.

Insert your password management and creation policy statement(s), alternatively you can use the provided example.]

  • Passwords must not be shared with anyone, whether in person or sent electronically
  • Auto login for work related services must be disabled
  • All passwords must be updated to the standards outlined in the password creation section. This also applies to passwords on devices
  • [insert selected password manager] is used to store and manage passwords
  • Passwords that are physically written down must be stored securely where no other person can access them
  • The organization's backup plan will include the backup and recovery of passwords managed by password managers

Password updates

[instructions: for cybersecure Canada certification, passwords may remain constant for an indefinite amount of time unless there is suspicion or evidence of compromise. Examples of a compromise include:

  • a policy in the password protection category has been breached
  • a cyber incident has occurred in which the user account information was compromised
  • any other suspicion of the password being compromised

Your organization can opt to require frequent password updates.

Insert your password update policy statement(s), alternatively you can use the provided example.]

  1. Passwords are updated on suspicion or evidence of compromise
  2. Users are able to update their passwords whenever they choose


[instructions: insert your enforcement statements below or use the provided example.]

It is the responsibility of the [name or team] and to implement the outlined polices. Users are responsible for setting and managing their personal passwords and to use two-factor authentication as outlined above.


Additional certification requirements

Usage of two-factor authentication

[instructions: provide an overview of how your organization uses two-factor authentication.]

Exceptions to usage of two-factor authentication

[instructions: identify devices that will not adhere to two-factor authentication and the rationale for exemption.]