Now... I understand 2FA is to make things more secure, and I do appreciate it. BUT can we please work out a damn solution for people who work in an agency for other corporates which only have one shared account across the agency that bundles one phone number or mobile app.

What if people are on leave or sick? I need stupid 2FA to be able to login/work. uhhhhhhh.....

  • 13
    > which only have one shared account
    All hope is already lost
    There isn't a magical solution that can just make that secure

    And btw the same 2FA secret can be used on multiple devices
  • 2
    Companies with good security practices should not have troubles with that.

    If you are the one tasked with making the aforementioned true, ask for a raise😄
  • 5
    Let's just stop you at the "shared account" part.

    Those two words are >> EXACTLY << how you fix this issue.

    "But, my company can't afford individual licenses"

    But they some how manage to afford a data breach in this day and age instead... ok son!
  • 0
    @devRancid depends. Some solutions do not allow that
  • 1
    Mhm, lets see:

    - QR-Code: Screenshot
    - Email: one account for each service, then automatically forward
    - SMS: automatically forward per Email (might be non-trivial to implement?)

    Congratulations, you have now successfully circumvented 2FA! I hope you are proud of yourself.
  • 1
    @CoreFusionX @C0D4 There are two problems with that. First, a lot of solutions simply don't have a way to share resources across multiple accounts, and second, those that do often charge per account, e.g. if I want to share the resources across multiple accounts I need to upgrade to some premium plan and pay several times more. Now sure, there are cases where a security concerns outweigh the extra price, but what's the security concern with a tool for cross-client email testing? The breach will reveal a bunch of broken templates? Well I can live with that if it saves $200 per month...
  • 0
    Yes, it is difficult but in some cases you can have option to save some random codes (like Dropbox provides) which you can use for 2FA
  • 0
    @C0D4 While I agree there are many services that dont support this. Sometimes there is just no alternative.

    Which succ.
  • 4
    "one shared account"

    With very, very, very few exceptions, the advice you're going to get from any security professional will be something along the lines of "Don't. Please don't. Holy shit DO NOT."

    But if you don't care about potential security breaches, save the 2FA secret or QR code to a LAN share or shared password manager or wherever you saved the password for this account. Whoever needs access can import it into their phone and you can all proceed to violate license terms and security best practices at your leisure.

    Edit: although if you use push-based 2FA rather than code-based, you're probably boned.
Add Comment