Why Shared Accounts deserve protection

September 7, 2024

Some organizations consider sharing accounts taboo and enforce a rigorous one-login-per-person for various reasons, be it tracking employee access or limiting the risk of account breach by unauthorized personnel. Due to this hard-line stance, when there are real reasons to support these patterns, they are either hidden from security personnel or treated as one-offs and are not given the proper protection.

Instead, shared account flows should be supported and protected like any other account to ensure proper protection across all parts of the business. So, let's dive into the most common patterns you'll see for shared business accounts and the ways you can add Multi-Factor Authentication (MFA) to those accounts to protect them from attackers.

Reasons why you may need to support shared business accounts

For different business types and sizes, there are various reasons why employees would need to share login credentials and access with peers. Here are the most common reasons.

Vendors only allow one account

Certain vendors don't support the ability of multiple user accounts, but store information that cannot be solely accessable by one individual. Most bank accounts that small businesses leverage have this restriction, where there is only one login that you either share with multiple trusted employees or risk one person needing access to and becoming responsible for outages due to their availability.

Not enough budget for everyone's seat

You may have limited access to a tool because it is too expensive to give everyone privileged access. Typically, businesses need to resort to manually switching seat access or sharing login credentials, with the latter opening up a risk of unauthorized access by external threats or by those who once had access but shouldn't anymore.

Access to Client or Partner Accounts

Collaboration across organizations is always tricky business. Each organization is responsible for its own employees; however, communication regarding access changes is slow to reach outside partnered organizations. This can risk allowing unauthorized personnel who once had access to continue accessing if the chain of communication is not kept tightly aligned.

While some solutions can leverage directory syncs and RBAC permissions, they aren't solutions that are supported by every tool and every organization's budget. The typical approach is to generate one or more shared accounts that have universally applied restrictions to limit the risk of unauthorized access. But even then, there is still damage that can be done by accessing or deleting business data by those who have remembered or stored logins separately.

Advantages of MFA for Shared Accounts

The main advantage of guarding access to shared accounts with MFA is that you are no longer beholden to passwords being the sole protection. Even with password managers, someone who had access could have that password memorized, copied, or remembered by their web browser. In the event of termination, your procedure would need to include cycling each password of shared accounts that an individual was granted, which can take considerable time and leave those accounts vulnerable.

By adding MFA, you remove that risk when you restrict access to the second-factor of authenitcation. This pattern not only protects you from external threats, but also from unauthorized access from those who had access before. Since Generated Code MFA is time sensitive, an individual would need to maintain access to both the password and the code generator in order to log in.

So, what options are available to organizations to add MFA to shared accounts?

Single-Use Code Delivery to a shared email group

If a vendor provides an option to send you a code, you can set up a communication channel that is shared with everyone to receive it.

Email groups are relatively straightforward, allowing multiple inboxes to receive a copy of the same email. While you cannot typically send emails out to that address, it's excellent to distribute those messages without relying on more complex or manual solutions. The main disadvantage to this approach is that, unless whomever requested the access volunteers that they requested it, it's hard to determine who specifically is accessing that tool.

Virtual SMS or VOIP Text Messages are another way to recevie a single-use code, but typically are more difficult to setup and manage. Also, some virtual carriers like Google Voice, don't support Short Phone Numbers that are mainly used by vendors to send these one-time codes and will not work properly.

And depending on your email or text provider, increaing the amount of email groups or text groups can become costly at scale. We don't recommend this pathway since it can become quite expensive to maintain and also is a least secure way support MFA.

Device-Restricted MFA

App-based Time-based MFA is the most widely supported option at the time of writing. Once a vendor account is activated, a six-digit code is generated every 30 seconds that the user must enter to complete their authentication.

For sole devices, access may be unintentionally limited to authorized users as it may be difficult to locate a shared physical device or to coordinate access to the person responsible for said device.

You can use the same QR Code or Seed Code on multiple devices, however cycling those codes and offboarding users who may have it on their personal device becomes much more of a hassle and can leave your tools vunerable or your employees unable to access the things they need until everything is updated.

Password Manager MFA

Some password managers allow for storing MFA along-side the username and password credentials, providing anyone with access to the credentials to also access the temporary codes.

This ability can add a lot of productivity back into your processes, as onboarding or offboarding user access can be immedate even if it takes time to change the password for those accounts. That is, as long as the Password Manager access is revoked immedately.

Also, storing both passwords and MFA codes within the same application places more importance on ensuring your users are performing safe password practices for their Password Manager accounts. Otherwise, if an attacker compromises an employees Password Manager account or a employee device is compromised, then the attacker has both authentication factors available to them.

Key Forge's Shareable MFA

Key Forge purpose-built our Sharable MFA feature to support this pattern, as we ran into this issue when we needed to secure business accounts for our business partners.

You can designate MFA access to groups of employees, like with Password Managers, but without keeping all of your eggs in the same basket. Anyone in that group can request a code at any time without having to coordinate with other employees.

Also, we log activity when someone requests an MFA code and provide you with that visibility. You'll know who is using accounts and gain better insight into unexpected activity compared to any of the other options.

The downside is that it's $1 per person. So, if your budget cannot allow for that cost, a more manual process is needed.

Conclusion

There is a legitimate need for businesses to support shared accounts, as it keeps productivity and collaboration high. But if you don't treat these accounts with the same security rigor as other, you run risk of data breaches, downtime for your business, or frustrating employee experiences as they have to hide or jump through loops in order to access the tools they need to do their jobs.

There are multiple solutions you can use to add MFA to accounts. We recommend Key Forge as it was purpose-built to support shared accounts (and in small part because, full transparency, this is the Key Forge blog). Give it a try today and add the proper protection to these accounts without added aggravation.