When other authentication mechanisms are used, what must be ensured?

• A. Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.
• B. Authentication mechanisms may be shared among multiple accounts if needed.
• C. Physical tokens must be replaced quarterly.
• D. All mechanisms must be centrally managed by IT.

Answer: (B)

When using authentication methods beyond passwords, there must be clear control over how those methods are issued, assigned, and revoked, with proper traceability. In some cases—for example, service accounts, automated processes, or certificates—one mechanism may be used by multiple accounts. That sharing is permissible when it’s needed, but it must be tightly governed: access must be least privileged, audit logs must show who used the mechanism and when, and there must be a solid process to revoke or rotate the mechanism if any linked account changes or is decommissioned. The main point is that sharing is allowed under strong control, rather than being forbidden or universally required to be isolated to a single user or universally centralized in all situations.