Passwords, Passkeys & Access Control — Module 5 (Premium)

🔐 Passwords, Passkeys & Access Control — Module 5

Premium Theory + Real Example + 18-Question Quiz Identity-first Security

1) Theory — The new perimeter is identity

Breaches rarely start with “zero-days.” They start with stolen or guessed credentials, reused passwords, weak MFA, and excessive privileges. Modern defense shifts from password complexity theatre to passkeys (FIDO2), risk-based MFA, least privilege, and tight session control. Your goal: make stealing a password useless.

Get up to 70% off NordPass Premium
Affiliate link — helps keep our training free.
Key points (at a glance):
  • Kill password reuse: enterprise password manager + breach monitoring.
  • Prefer passkeys/FIDO2: phishing-resistant and no shared secret to steal.
  • MFA quality > MFA checkbox: number-matching/passkeys beat SMS codes.
  • Least privilege & JIT: reduce standing admin; time-bound elevation.
  • Strong session control: short tokens for high-risk apps; revoke on anomaly.

1.1 Common identity failure points

  • Password reuse & weak vaulting: the same password across SaaS; ad-hoc spreadsheets.
  • Legacy MFA: SMS codes/phishable OTPs; no number-matching.
  • Excessive privilege: too many global admins; shared admin accounts.
  • Long-lived tokens: stale OAuth refresh tokens; never rotated API keys.
  • SSO gaps: critical apps outside SSO; local accounts live forever.

1.2 Password policy that actually helps

  • Length over complexity: allow long passphrases (min 12–14); drop forced rotation unless compromised.
  • Block known-breached passwords: check against breach corpora during set/reset.
  • Password manager: corporate vault with shared collections, audited access.
  • Unique per system: never reuse; service accounts get randomly generated secrets.

1.3 Passkeys (FIDO2) — deployment pattern

  1. Pilot high-risk roles (finance, admins) with platform authenticators or security keys.
  2. Enforce MFA type (passkeys/number-match) in conditional access; deprecate SMS.
  3. Recovery paths with phishing-safe backups (second key, enterprise recovery codes).
  4. Device posture checks for admin portals; require compliant devices.

1.4 Least privilege & PAM

  • Role-based access for each app; no blanket global admin.
  • Just-in-time elevation with approval; session recording for privileged actions.
  • Service accounts with scoped permissions; rotate secrets; no human logins.
  • Break-glass accounts stored offline; tested quarterly.

1.5 SSO, sessions & monitoring

  • Centralize with SSO: bring all critical apps under IdP; disable local accounts.
  • Session hygiene: short TTL for sensitive apps; revoke on device or geo anomalies.
  • OAuth governance: restrict user consent; review tokens/scopes regularly.
  • Signals to alert on: impossible travel, unfamiliar sign-in properties, mass token refresh, admin changes.

1.6 Incident playbook — suspected credential compromise

  1. Contain: force reset; revoke sessions/tokens; disable legacy protocols.
  2. Scope: review sign-ins, mail rules, OAuth grants, admin changes.
  3. Eradicate: remove malicious rules/apps; rotate API keys and service creds.
  4. Recover: re-enroll MFA/passkeys; restore least-privilege roles.
  5. Improve: enforce stronger MFA; block breached passwords; add JIT/PAM.
Get up to 75% off NordVPN + 3 months free
Affiliate link — helps keep our training free.

2) Real-world example

Password reuse → payroll fraud: An AP clerk reused a personal password on the payroll portal. Attackers found it in a public breach dump and logged in, adding a new payee. Loss was prevented only after finance noticed an off-cycle transfer. The fix: passkeys for finance, breached-password blocking, JIT approvals for bank-detail changes, and auto-alerts on new payees.

3) Assessment — 18 Professional Questions

Choose the best answer for each question. Answers and feedback appear after you submit.

1) Which control most reduces risk from password reuse?

2) Strongest MFA option for admin portals?

3) Best policy for password rotation?

4) What’s the main advantage of passkeys over passwords?

5) Which is the right way to handle service accounts?

6) Which signal should revoke sessions immediately?

7) Best default for apps not yet integrated with SSO?

8) Strongest admin model?

9) Which MFA option is most phishable?

10) Best practice for emergency “break-glass” accounts?

11) What’s the key step after discovering malicious inbox rules?

12) Which password guidance is most modern?

13) What should you do with long-lived OAuth tokens?

14) Best first step to migrate to passkeys across the org?

15) Which policy best limits blast radius from a phished user?

16) Which setting hardens sessions for sensitive apps?

17) An app can’t support SSO yet. What’s the safest interim?

18) You detect unfamiliar sign-ins followed by admin role changes. Best action?

4) Finish

When you’re done, mark this module as completed to update your Premium Hub progress.

✅ Mark this module complete

NordVPN — up to 75% off NordPass — up to 70% off NordPass — alt link
Affiliate links — support our free training.