Authentication Policy Involvement

An authentication policy itself is a strategic document that outlines how users and systems are verified. While the specific underlying mechanisms, such as cryptographic keys, algorithms, or proprietary protocol details, must be kept secret, the policy's principles, scope, and procedures should involve as many relevant stakeholders as possible. This broad involvement ensures the policy is:

1. Comprehensive: Inputs from different departments, user groups, and technical teams help identify diverse needs and potential vulnerabilities, ensuring the policy covers all necessary access scenarios.
2. Usable and Enforceable: When people who will be affected by and responsible for implementing the policy contribute to its formulation, it becomes more practical, realistic, and adaptable to real-world operations. This also fosters understanding and compliance.
3. Aligned with Business Objectives: Involving various parts of an organization ensures the authentication policy supports overall business goals without creating undue operational friction.

Joseph Migga Kizza emphasizes that a good authentication policy involves people, processes, and technology, and that it should encompass as many people as possible who will be involved in its implementation and those who will be affected by it to ensure it is viable and enforceable (Kizza, Guide to Computer Network Security, Chapter 6, Section 6.1.1, "The Authentication Policy").

The people who must be left out from knowing the sensitive details of an authentication policy are those without a legitimate “need-to-know.” This includes individuals who do not require access to specific implementation details like cryptographic keys, salt values for password hashing, internal workings of the authentication server, or the exact vulnerabilities the policy aims to mitigate. The policy's inner workings are considered secret, and access should be restricted to authorized personnel responsible for its design, implementation, and maintenance, adhering to the principle of least privilege (Kizza, Guide to Computer Network Security, Chapter 6, Section 6.1.1, "The Authentication Policy").