How should authentication mechanisms be managed with regard to user accounts?

• A. They Can Be Shared Among Multiple Accounts
• B. They Should Be Assigned To A Single Account And Not Shared
• C. They Can Be Used By Any Account That Has The Token
• D. They Must Be Assigned To An Individual Account And There Must Be Controls To Ensure Only That Account Can Use Them

Answer: (D)

Unique, user-bound authentication credentials are essential for accountability and traceability. Credentials should be assigned to an individual account and protected so that only that account can use them. This enables accurate auditing of every action to a specific person and allows for timely revocation or adjustment of access when roles change. Sharing credentials across multiple accounts or letting any account with a token use them breaks the link between actions and a single identity, making it impossible to determine who really performed an action. Simply assigning to a single account without enforcement risks misuse, whereas pairing assignment with controls (like strict session handling, monitoring, and revocation) ensures exclusive use by the intended user.