The different types of account sharing
When all members of the same team need access to an application, account sharing is often practiced. Several people end up using the same account as a colleague.
"What's your password?"
This is the traditional method of account sharing: asking a colleague for their credentials to log in to their account and access the desired CRM or marketing tools. This is the preferred method for users because it is the fastest and most user-friendly. Obviously, this method is not at all to the liking of the IT team, which sees it as a security flaw: passwords - sometimes critical when it comes to the CRM containing customer information - are exchanged orally, available to the open space and other users, and therefore give access to company information to anyone who wants to hear it.
Sharing via password manager
This sharing method requires that the users concerned (the one who shares their identifier and the one who uses it) are equipped with a password manager. Password managers (such as Dashlane, 1Password or LastPass) are initially designed to help you store passwords and automatically log in to the various applications at your disposal without having to enter the passwords, the software performing this entry for you automatically. This software also often allows you to share passwords between users without the password itself being disseminated to the user who receives the shared password, since it is the password manager that will "enter" the password directly.
This method has the merit of being a little more rigorous because it benefits from good traceability. On the other hand, it has a weak point: the user who receives the password can - if they are a little skilled - see the password in clear text and then do what they want with it, for example, keep it and therefore always benefit from access even if the user initiating the sharing suspends the sharing.
Access sharing by authorization
This method is the most rigorous, because each user has their own access, allowing them to access a shared resource. The best example is the sharing of mailboxes on Office 365 or Google Workspace: each user has their own password and it is the permissions implemented on a common mailbox that will allow users to access or not the shared mailbox. The big advantage of this method is that it allows you to remove access quickly, without a security breach, so it is not concerned by the dangers of IT security like the 2 previous methods.
Besoin d'échanger sur vos processus ?
15 minutes pour voir si on peut vous simplifier la vie côté accès. Sans pression, sans engagement.
The dangers of access sharing
The reasons why users share accounts are often less than noble. Whether it's to avoid paying for additional licenses because "it's still expensive even though I don't use it much", or for practical reasons ("I'm not going to create an account for every intern!"), account sharing is a real danger to data security in the company.
In the first two methods, the password is simply disseminated to several people without control. Interns come and go with the same username/password, and the intern who was present 3 years ago can still access the internal CRM if they wish. By accessing it, they can view the data, and therefore potentially communicate information about the company's prospects to a competitor for whom they now work. They can also alter or delete the data and thus disrupt the company's commercial, financial or technical activity.
The second danger is the lack of traceability. A shared account is an anonymous account. None of the actions performed with this account can be attributed to a named user because they could have been performed by multiple users, sometimes dozens of users.
Besoin d'automatisez vos accès sans chantier IT ?
En 60 minutes découvrez comment Youzer fiabilise vos onboarding et offboarding pour gagner plusieurs heures par semaine côté IT.
What solutions are available to prevent access sharing?
There are two very simple solutions to limit the sharing of access between users, which compromises the security of the IS.
Strengthen account security
The first solution is to implement two-factor authentication (2FA or MFA). An SMS is sent with each login attempt containing a code that the user must enter to authenticate correctly. 2FA can also be used with a mobile application such as Google Authenticator or Auth0 Guardian.
This more complex and individualized authentication cannot prevent users from sending each other codes received by SMS or communicating temporary Google Authenticator codes, but this system at least has the merit of limiting sharing (it is difficult to send 10 SMS every day when 10 people share the account) and making users aware that they are distorting a security system, whereas password sharing may have seemed harmless to them.
Streamline account management: automation!
Why do users share accounts? Very often because they don't want to wait for accounts to be created by the IT department, because they don't want to manually create and deactivate accounts for each intern, 10 times a week.
So automation is a good thing: if the account is created and suspended automatically according to arrivals and departures, everyone is happy, and there is no need to share the same access anymore.
Some automation systems even allow sending credentials by SMS to the newly arrived employee, which allows them to have quick and secure access to the company's tools.
