Safer Authentication: Password Usage Training Framework
| Audience: Nonprofit/advocacy staff, mixed tech levels Format: In-person or virtual, 8–25 participants Duration: 90 min (or two 45-min sessions) Facilitator needs: 1Password account + browser extension ready; basic 2FA familiarity Materials: Slide deck + participant handout (provided) |
Participants will be able to: • Explain why passwords alone don’t protect accounts • Set up and use 1Password for daily work • Enable 2FA on their highest-priority accounts • Identify their top 5 accounts and concrete next steps • Describe what passkeys are and where to enable them |
| Session Flow |
| # / Time | Module | Key Content + Notes |
| 1 10 min |
Why This Matters | Opening hook: show of hands on password reuse -- normalize it Core problem: credential reuse & phishing, not sophisticated hacking Key stat: compromised credentials in ~40% of breaches (Verizon DBIR 2024) |
| 2 25 min |
Password Managers: 1Password | Concepts: master password, Secret Key, Emergency Kit, vaults (5 min) Live demo: interface tour, save & generate, autofill, 2FA setup, shared vaults (15 min) Q&A (5 min): prep answer for “What if 1Password gets hacked?” Have extension installed before the session. Autofill demo doubles as phishing protection explainer. |
| 3 20 min |
Two-Factor Authentication | 2FA method ranking: hardware key → authenticator app → 1Password TOTP → SMS Priority order: email → financial → cloud storage → CRM → social media Worksheet: participants identify their top 5 accounts (5 min) |
| 4 10 min |
Introduction to Passkeys | What passkeys are, why they’re better (no password to steal, phishing-resistant) Where they work today: Google, Apple, Microsoft, GitHub, PayPal |
| 5 25 min |
Action Plan + Wrap-Up | Walk through 3-column plan: This Week / Next 30 Days / Ongoing Individual reflection: one commitment in next 48 hours (write it down) Three takeaways, resources, Q&A |
| Facilitation Principles |
| Lead with care, not fear: capability over anxiety; overwhelm creates paralysis Normalize the starting point: reused passwords are the norm, not a failure Prioritize action: better to leave having done one thing than understood everything |
Don’t let perfect block good: SMS 2FA beats no 2FA; progress over perfection Right-size to the group: tailor examples to their platforms; pair early adopters with neighbors Optional extension (30 min): hands-on 1Password install for groups under 15 with a co-facilitator |