The different types of account sharing
When all the members of a team need access to an application, account sharing is a common practice. In this way, several people end up using the same colleague's account.
"What's your password?"
This is the traditional method of account sharing: you ask your colleague for his or her login details, so that you can connect to his or her account and gain access to the CRM or marketing tools you want. This is the preferred method for users, as it's the quickest and most user-friendly. Of course, this method is not at all to the taste of the IT team, who see it as a security flaw: passwords - sometimes critical when it comes to the CRM containing customer information - are exchanged verbally, available to the open space and to other users, and therefore give access to company information to anyone who will listen.
Password manager sharing
This method of sharing requires that both users involved (the one sharing the login and the one using it) are equipped with a password manager. Password managers (such as Dashlane, 1Password or LastPass) are initially designed to help you store passwords and automatically log in to the various applications at your disposal without having to enter passwords, as the software performs this entry for you automatically. These programs can also be used to share passwords between users, without the password itself being broadcast to the user receiving the shared password, since the password manager will "enter" the password directly.
This method has the merit of being a little more rigorous, as it benefits from good traceability. On the other hand, it does have one weak point: the user who receives the password can - if he's a bit clever - see the password in clear text and then do what he likes with it, for example, keep it and thus still benefit from access even if the user who initiated the sharing suspends the sharing.
Authorization-based access sharing
This method is the most rigorous, because each user has his or her own access, enabling him or her to access a shared resource. The best example is shared mailboxes on Office 365 or Google Workspace: each user has his or her own password, and it's the permissions implemented on a shared mailbox that will allow users to access or not access the shared mailbox. The big advantage of this method is that it allows access to be withdrawn quickly, without there being a security breach, so it's not concerned by IT security dangers like the previous 2 methods.
The dangers of shared access
The reasons why users share accounts are often not very noble. Whether it's to avoid paying for additional licenses because "it's expensive even though I don't use it much", or for practical reasons ("I'm not going to create an account for every trainee!"), account sharing is a real threat to corporate data security.
In the first two methods, the password is simply distributed to several people without any control. Trainees follow one another with the same login/password, and the trainee who was there 3 years ago can still access the internal CRM if he or she wishes. By accessing it, he can view the data, and therefore potentially communicate information on the company's prospects to a competitor for whom he now works. He can also alter or delete data, thereby disrupting the company's commercial, financial or technical activities.
The second danger is the lack of traceability. A shared account is an anonymous account. None of the actions carried out with this account can be attributed to a named user, as they may have been carried out by several users, sometimes dozens of users.
Would you like to receive our white paper on identity and access management?
How to avoid shared access?
There are two very simple solutions for limiting this sharing of access between users, which compromises IS security.
Strengthening account security
The first solution is to implement two-factor authentication (2FA or MFA). An SMS is sent each time a connection is attempted, with a code that the user must enter to authenticate correctly. 2FA can also be used with a mobile application such as Google Authenticator or Auth0 Guardian.
This more complex, more individualized authentication cannot prevent users from sending each other codes received by SMS, or from communicating temporary Google Authenticator codes, but this system at least has the merit of limiting sharing (it's hard to send 10 SMS messages every day when 10 people share an account) and making users aware that they are bending a security system when sharing a password might have seemed harmless to them.
Account management made easy: automation!
Why do users share accounts? Very often because they don't want to wait for accounts to be created by the IT department, because they don't want to manually create and deactivate accounts for each trainee, 10 times a week.
So automation is good: if the account is created and suspended automatically according to arrivals and departures, everyone's happy, and there's no need to share the same access.
Some automation systems even allow log-in details to be sent by SMS to newly-arrived employees, giving them rapid, secure access to company tools.
