Safer Authentication: Password Usage Training Framework

Audience: Nonprofit/advocacy staff, mixed tech levels Format: In-person or virtual, 8–25 participants Duration: 90 min (or two 45-min sessions) Facilitator needs: 1Password account + browser extension ready; basic 2FA familiarity Materials: Slide deck + participant handout (provided) 
 Participants will be able to: •

 Explain why passwords alone don’t protect accounts •

 Set up and use 1Password for daily work •

 Enable 2FA on their highest-priority accounts •

 Identify their top 5 accounts and concrete next steps •

 Describe what passkeys are and where to enable them 
 
 
 
 
 
 
 
 
 
 
 
 Session Flow 
 
 
 
 
 
 
 
 
 
 
 
 
 
 #  /  Time 
 Module 
 Key Content + Notes 
 
 
 1 10 min 
 Why This Matters 
 Opening hook: show of hands on password reuse -- normalize it Core problem: credential reuse & phishing, not sophisticated hacking Key stat: compromised credentials in ~40% of breaches (Verizon DBIR 2024) 
 
 
 2 25 min 
 Password Managers: 1Password 
 Concepts: master password, Secret Key, Emergency Kit, vaults (5 min) Live demo: interface tour, save & generate, autofill, 2FA setup, shared vaults (15 min) Q&A (5 min): prep answer for “What if 1Password gets hacked?” Have extension installed before the session. Autofill demo doubles as phishing protection explainer. 
 
 
 3 20 min 
 Two-Factor Authentication 
 2FA method ranking: hardware key → authenticator app → 1Password TOTP → SMS Priority order: email → financial → cloud storage → CRM → social media Worksheet: participants identify their top 5 accounts (5 min) 
 
 
 4 10 min 
 Introduction to Passkeys 
 What passkeys are, why they’re better (no password to steal, phishing-resistant) Where they work today: Google, Apple, Microsoft, GitHub, PayPal 
 
 
 5 25 min 
 Action Plan + Wrap-Up 
 Walk through 3-column plan: This Week / Next 30 Days / Ongoing Individual reflection: one commitment in next 48 hours (write it down) Three takeaways, resources, Q&A 
 
 
 
 
 
 
 
 
 
 
 
 Facilitation Principles 
 
 
 
 
 
 
 
 
 
 
 
 
 Lead with care, not fear: capability over anxiety; overwhelm creates paralysis Normalize the starting point: reused passwords are the norm, not a failure Prioritize action: better to leave having done one thing than understood everything 
 Don’t let perfect block good: SMS 2FA beats no 2FA; progress over perfection Right-size to the group: tailor examples to their platforms; pair early adopters with neighbors Optional extension (30 min): hands-on 1Password install for groups under 15 with a co-facilitator