What are “Shared Web Passwords” and why should I secure them?
- February 8, 2024
- Posted by: admin
- Category: Blog
In recent years, many enterprise services accessed over the web integrate some federated login. The Identity Provider (IdP) could be anything from Azure Active Directory, Ping Federate, or even a Google account or LinkedIn account. Sometimes, these features are not offered, or your organization is not large enough to warrant the “add-on” cost to implement. In these cases, it is common for one login to be used by the whole organization to access this single vendor.
Sharing is Caring
With shared web accounts, it can be difficult to ensure that they are secure without also causing major headaches for one or two individuals. Let us take the example of a small-ish finance department that needs to access their payroll application online. For this department to use a federated login, they would need to upgrade to an “Enterprise” license. Many of the features offered to the organization would be “too big” for them or hardly used. The free options are usually the consumer-grade options: E-Mail, SMS/Text, Authenticator App. The problem here is these options tie the account to one person. Some organizations may have a mailing list or shared mailbox for email notifications. This could be an option but relies on your email server (and client) being operational and prompt. Another option commonly offered is using your phone for a TOTP (Time-based One Time Passcode). These are set up in applications like Authy, Google Authenticator, etc. and are also not conducive to sharing an account because it is tied to one person’s phone.
Secured TOTP Generation
Secured and shared TOTP Generation can enable TOTP generation on a per-credential level. Using this, we can move the TOTP generation from an individual’s phone to a centralized, secure location that can be accessed by those who need access to the credentials. You will no longer need to wake up Susan from Finance at 2 am for an emergency because the MFA (Multi Factor Authentication) TOTP is tied to her phone or email address. There are various products on the market that can facilitate this functionality. Among them being Delinea’s Secret Server and others.
Vaulted TOTP In Practice
Once your credentials and TOTP are stored securely in a vault, you will no longer need another person to use them. There is not any reliance on your mail server to email out quick enough to the shared inbox to get a link or OTP code. Now that your login credentials are stored in a secured, resilient vault, you can get any task done with a shared web account without having to rely on another user or team to get there.
Other Things to Consider
Now that the username, password, and TOTP generation are all handled by your vault, you have nothing left to do, right? Right?
Just because it is in a vault, does not mean that your account is secure. You will also need to adhere to your company’s policy or Best Practices and rotate the password for the web-based account regularly and with a randomly generated password.
While securing the usernames and passwords of accounts (web or otherwise) is an obvious step, keeping your TOTP generator safe as well will only increase the security around those accounts as well as keep a single contact from being on the hook for MFA requests.
Have question or comment? Feel free to post below or send to email@example.com.