Updated: Nov 4
As remote working becomes not only a long-term prospect amid COVID19, but a long-term forecast as a workplace trend, collaborating effectively becomes a key component of any IT consideration.
Collaborating remotely can be a challenge, especially having to share key information quickly and securely. The simple act of sharing logins could pose a major security threat if the right tools are not in place.
Sharing Login Information
Emailing logins is like sending your house key in the mail with your address clearly printed on the tag.
Email, without any other intervention, is entirely plain text. And SMTP (simple mail transfer protocol - the methods emails are delivered) is not a secure protocol. Emailing logins is like sending your house key in the mail with your address clearly printed on the tag. If you do not have any other options, considering emailing the username only, and then call your intended recipient to provide them the password verbally, or vice versa. The intent being that only one piece of the login information is provided at any time. It’s much harder for someone to compromise both.
Whether you believe in the hype of password managers such as LastPass, a password manager does become essential if you want to share logins securely. Logins are stored in a password manager encrypted so even when the password manager is compromised, the attackers can't simply extract the data as plain text and use it. Be careful though, since password managers are like the keys to your credential castle. Ensure you use a strong passphase and use multifactor authentication (MFA) to provide the extra level of security your master password deserves.
While we do not advocate for the sharing of accounts for audit reasons, we realize this is sometimes inevitable, especially in small businesses or solopreneur situations. In the case of a distributed team sharing accounts, it's much harder to track down if a login attempt is legitimate. We recommend using MFA even for accounts that need to be shared.
As far as methods go, not all MFA are created equal
As far as methods go, not all MFA are created equal. We prefer an authenticator app as opposed to hardware tokens or SMS (text) messages because of the ease of collaboration with distributed teams who need to share access.
With a hardware token, you cannot share this token with distributed teams very easily. A similar issue exists with text message codes. In these cases, teams that need to share accounts must coordinate their login attempts. An added security risk exists with text messages such that an attacker can socially engineer the phone company to have the phone number transferred to a different SIM card.
you can setup multiple authenticator apps for a single account
Some applications natively support multiple authenticator apps to be set up independently of each other.
For Microsoft 365, you can set up multiple software tokens (authenticator apps) for a single account. This means that any of the authentication tokens can be used as the 2nd factor. This allows remote and distributed staff to still have the security of MFA on shared accounts, without needing to coordinate all the login attempts.
For apps that don't natively support multiple authenticators on the same account, a bit of coordination is required to set up MFA initially. To do this, schedule a video conference with the team members that needs access to the account, then start the MFA set up process as usual. When you get to the step where you scan the QR code to set up your authenticator app, screen share the QR code so that all participants can scan it in to their own authenticator app. You should notice that everyone will have the same 6 digit token in their app. Now, you can proceed to use the account and any of the phones can be used as the second factor.
If you have concerns about security for your team, we recommend that you chat with us. We help businesses just like yours secure their environment, and implement remote working that works for them.