Which statement best describes the goal of authentication policy documentation?

• A. To outline only user role assignments.
• B. To describe how to recover lost credentials.
• C. To provide guidance on selecting strong credentials, protecting them, not reusing passwords, and changing if compromised.
• D. To mandate two-factor authentication for all access.

Answer: (C)

Authentication policy documentation focuses on how credentials are chosen, protected, and managed throughout their lifecycle. The best description is guidance on selecting strong credentials, protecting them, avoiding password reuse, and changing them if compromised, because this encapsulates the overall purpose: steer users toward secure credential practices and establish how those credentials should be handled and updated to reduce risk. The other options describe more specific or narrower tasks—outlining user roles is an access-control concern, recovering lost credentials is about identity recovery, and mandating two-factor authentication is a particular control rather than the broad goal of credential guidance.