The SEAL Framework Checklist (SFC) for Identity & Accounts provides guidelines for managing
organizational accounts (social media, email, SSO, registrar, SaaS, privileged platforms) such that
account compromise cannot redirect users, funds, or trust.
Scope: This is a horizontal cert covering the cross-cutting account-management pattern that applies
to multiple surfaces (domains, code, custody, social media). Other certs reference it for
account-control concerns while retaining their domain-specific substance (e.g.,
SFC - DNS Registrar handles DNSSEC and registry locks; this cert handles
registrar account hygiene).
Do you enforce phishing-resistant multi-factor authentication on organizational accounts?
Baseline Requirements
Hardware security keys (FIDO2/WebAuthn) required for high-privilege accounts: social media admin, domain registrar, custody platforms, cloud console root, SSO/IdP, repository admin, email admin
MFA required on all organizational accounts at minimum
SMS and voice-call MFA not used as the primary factor for high-privilege accounts
Backup MFA methods configured using independent factors
ida-2.1.2 · Credential Management and Individual Accountability
Do you enforce credential management standards with individual accountability?
Baseline Requirements
Password manager required for all personnel; no passwords stored in plain text, documents, or browsers
Unique, strong passwords per account
Individual accounts required; no shared logins for organizational accounts. Where shared access is technically unavoidable, it is mediated through the password manager with per-person audit trails
Credentials transmitted only through encrypted channels (password manager sharing, not email or chat)
ida-2.1.3 · Recovery Methods Restricted to Organizational Channels
Do you restrict account recovery methods to organizational channels?
Baseline Requirements
Recovery email addresses use organizational domains, not personal email
Recovery phone numbers use organizational numbers where supported, not personal numbers
Backup and recovery codes stored in the password manager or comparable secure storage (not in personal email, notes, or cloud docs)
Recovery options reviewed when personnel change and at least annually
Section 3: Access & Lifecycle
0/1
ida-3.1.1 · Account Lifecycle Management
Do you manage the full lifecycle of organizational accounts, including provisioning, changes, offboarding, and periodic access review?
Baseline Requirements
Account creation requires documented approval and is provisioned with least privilege
Role changes trigger prompt permission adjustments
Offboarding revokes access across all organizational accounts within 24 hours of departure, including social media, SaaS, SSO, and shared tools
Credentials for shared systems the departing person accessed are rotated
Access reviews conducted at least annually; quarterly for high-privilege accounts
Service account and bot account ownership reviewed alongside human accounts