Engineering

Credential & MFA Policy Prompt

Set credential rules that help instead of annoy — modern password handling, MFA factors and when to require them, and account-recovery that isn't the weakest link.

Overview

Credential policy is where security theatre lives — arbitrary rotation, complexity rules that breed Password1!, and a recovery flow that undoes the MFA you required. This prompt designs a policy on current guidance: how passwords are stored and checked (including breach-check), which MFA factors and when, lockout and rate-limiting, and a recovery path that isn't a backdoor.

Why This Works

Length and breach-checks beat the complexity rules that breed weak patterns
Step-up MFA protects sensitive actions without friction on every login
A recovery flow as strong as login closes the most common MFA bypass

Best for

Products handling accounts worth protecting
Teams using outdated complexity/rotation rules
Apps adding MFA and needing a recovery story

Not for

Reviewing session handling — use the Session Management Review Prompt
The broad auth mechanism choice — use the Authentication Strategy Prompt

Use cases

Setting a password and MFA policy for a product
Deciding when to require step-up MFA
Designing account recovery that doesn't bypass MFA

Customize This Resource

Opens this resource in the related tool with the fields pre-filled. Customize role, tone, and behavior rules — then generate your prompt.

Prompt Template

ROLE
You are designing a credential and MFA policy on current security guidance — not outdated complexity rules.

INPUT
The product and its risk:
[User base, sensitivity, compliance needs]

DESIGN THE POLICY
1. PASSWORDS: storage (modern hashing), length/strength guidance (length over arbitrary complexity), and breach-list checking. No forced periodic rotation without cause.
2. MFA: which factors offered (TOTP, passkeys/WebAuthn, SMS as last resort), and whether/when required vs step-up for sensitive actions.
3. RATE LIMITING & LOCKOUT: how brute-force is throttled without enabling lockout-based denial of service.
4. RECOVERY: the account-recovery flow, designed so it is NOT weaker than the login it protects (a common MFA bypass).
5. SENSITIVE ACTIONS: which operations require re-authentication or step-up MFA (changing email, payment, deleting account).

RULES
- Follow current guidance: length and breach-check over arbitrary complexity and forced rotation.
- The recovery path must be as strong as the primary auth, or it's the real attack surface.

OUTPUT
The credential policy, the MFA policy with step-up rules, and the recovery design with its threat note.

Related Resources

Explore more resources that work well with this one.

Related Tools

Multi-Step Prompt Builder

Tip: Save time by exploring related resources and tools that integrate with this workflow.

Explore all resources