A shared account is a way of giving multiple people access to shared resources, like cloud platforms, databases, servers, third-party apps and network tools. This typically requires a group of employees to share one secret password. You might logically ask, “Is it still a ‘secret’ if many users have the same credentials?” That’s the burning question, and we’ll explore it in depth.
After we examine the problem, we’ll look at five solutions to avoid and why they miss the mark. By the end, I’ll explain how to secure shared accounts in a way that’s scalable and provides greater visibility. But first, why do we need shared accounts?
IT administrators share accounts to maintain workstations, servers, networks and mainframes. Your company is also likely to have shared accounts in the billing department, where multiple employees need to access a billing management system or accounting apps.
Reasons for having shared accounts vary across industries. Managed service providers (MSPs) need access to hundreds of client systems. Healthcare providers share access to medical records to see a patient’s medical history before making treatment decisions.
In these scenarios, shared accounts may be unavoidable, but it’s not ideal. It’s much preferred for employees to share resources, not accounts. We all know passwords are easily leaked or stolen, and your chances of a security breach are multiplied by the number of people who share the same login.
This raises two practical questions.
- Is there a way to secure shared accounts without having multiple employees share one set of credentials?
- Can we protect shared accounts with more than single-factor authentication?
It’s clear, shared accounts are not secure on their own, and we needed another layer of authentication. Until recently implementing two-factor authentication (2FA) for shared accounts has required hard tokens like security keys, which are costly to provision and risk being lost.
Complicating matters, second factors such as one-time passcodes (OTPs) sent via SMS or push notifications are typically bound to one user with one device. Which user and what device linked to the shared account needs to receive the OTP? Sending it to everyone would be disruptive, confusing and unscalable. This is the crux of the problem. There’s no way to know who is trying to log in.
Employee turnover and leaks
Shared accounts create a plethora of other problems. When an employee with shared access leaves your company, an administrator must change the password immediately and securely share new credentials with the team.
There is also the risk that users will share passwords with unauthorized employees or people outside of the organization. The employee may not have malicious intentions, but the impact could be devastating.
No user visibility
IT administrators must be able to associate activity inside shared resources with a specific user. But when everyone is using the same credentials, you don’t have that visibility. Instead, all actions are associated with one master identity. IT has no monitoring capabilities over shared accounts.
The bottom line: shared accounts create security gaps and administrative headaches. There is no ability to authenticate with certainty when there’s no answer to the question, “Are you truly who you say you are?”
Efforts to secure shared accounts have led to a number of ineffective solutions, from band-aid fixes to expensive enterprise tools. So before we introduce you to the most secure, easy-to-deploy and cost-effective MFA for shared accounts, let’s look at five approaches to avoid and why:
- 2FA via SMS – Security codes sent via SMS messages can be intercepted by man-in-the-middle attacks, SIM swaps, smishing, SS7 attacks and other advanced tactics. It’s all covered in our blog article, “Why SMS Two-Factor Authentication Isn’t Enough. And What You Should Use Instead.”
- 2FA in any form – Multi-factor authentication (MFA) is more secure than 2FA because it combines advanced authentication factors like biometrics. You can achieve MFA using a biometric and a private key on the end user’s device with no password at all. Learn more about this topic in our blog, “What Is 2FA vs. MFA, SCA and Step Ups?”
- Authenticator apps – “How to add 2FA for shared accounts” is a common search query. On one IT forum, someone posted tips for using an authenticator app as makeshift 2FA for shared accounts. But there are several shortfalls with this rigged solution. Most importantly, it fails to authenticate the individual user. Their actual identity remains unknown.
- Password managers – While this fix does not involve 2FA, it does add a layer of security — a thin layer. The problem is password managers are targeted by hackers. This was proven by the recent Passwordstate breach in which attackers inserted malware in a software update. We also know man-in-the-middle attacks can intercept the password in transit.
- Privileged Access Management (PAM) – PAM solutions manage access and monitor activity on shared accounts, enabling a higher level of security and auditing. They also happen to be expensive, complex to deploy and require ongoing maintenance. Due to costs, PAM deployments are limited to critical systems. This leaves shared accounts that are not deemed critical vulnerable to attack.
Now that we’ve thoroughly critiqued 2FA, it’s important to further clarify why MFA reigns superior. Here’s the nuance: 2FA begins with standard login credentials and simply adds an additional authentication factor on top. By contrast, FIDO2 biometric authentication achieves strong MFA instantly, with no usernames, no passwords and no OTPs.
By using fingerprint or facial recognition, Transmit Security’s BindIDTM verifies a biometric inherence factor (something you are) and a possession factor (something you own) with the private key on your registered device. Best of all, MFA for shared accounts is achieved through a single user action: a biometric scan.
The most cutting-edge FIDO2 solutions replace highly vulnerable passwords with biometrics and cryptographic keys, negating the need to add a third authentication factor.
With Transmit Security FIDO2-certified solutions, the biometrics are always encrypted and never leave the end user’s device. Authentication happens locally where a biometric verifies the user identity and unlocks the private key, which then signs the authentication challenge. There’s no database full of biometrics for hackers to target, and biometrics cannot be intercepted because they are never in transit.
Transmit Security solutions enable companies to finally:
- Secure shared accounts with single-action MFA
- Eliminate the risks of shared credentials, phishing, password theft and ATOs
- Verify individual users — with or without an app
- Simplify the UX to optimize workflow and efficiency
- Support authentication across digital and non-digital channels
- Build user identities and transfer trust to any enrolled device
Biometric authentication with BindID delivers highly secure and user-friendly experiences, finally solving the unique business challenge of protecting shared accounts. Discover how it works.