Advice column: Sharing passwords and two-factor authentication methods across teams

- The Latest
  Regular reporting on government secrecy, surveillance, and the rights of reporters and whistleblowers.
  - Key Issues
  - News Releases
- Technology
  Working open source software products to protect journalists, newsrooms, and their sources.
  - SecureDrop
  - Dangerzone
- U.S. Press Freedom Tracker
  A database of press freedom incidents in the United States.
  - Data visualizations
  - Explore the database
- Digital Security Education
  Digital security trainings and resources for journalists.
  - Request a Training
  - Guides & Resources
- About Us
  Protecting and defending press freedom when we need it the most.
- Our Team
  - Staff & Contributors
  - Board of Directors
- Transparency
  - Reports & Financials
  - Announcements
- Get in Touch
  - Jobs & Internships
  - Contact Us
Donate

Freedom of the Press Foundation (CC BY 4.0)

My team and I use a few shared accounts, and I know from attending your training that it’s not safe to share passwords via text or email. So, how can my team and I safely share passwords? And two-factor authentication codes for that matter?

Thanks for your help,

Sharing is Caring

Dear Sharing is Caring,

I love this question. Thank you for asking! It’s sensible and prudent to, within reason, share resources where we can. The good news is that we can use tools to help us safely share account information across teams.

Let’s start with passwords. As you recall from your training session, we are big into password managers as a solution for storing your passwords and writing new ones, and we usually recommend 1Password and BitWarden. Both of these solutions offer an approach to sharing passwords among teammates. In 1Password, you can use the Password Secure Sharing Tool (Psst!). In BitWarden, this feature is simply titled Collections. Either way you name it, it’s important to stay focused on which team members can access privileged information about which accounts.

Sharing two-factor authentication codes (2FA) gets a little more interesting. There are many things to consider here, but let me assure you that it is well worth the small effort to make sure your accounts require that second factor — a second piece of information beyond the password, typically a six-digit code sent to your device.

The hands down easiest way to get 2FA codes into the hands of your teammates is use your password manager’s time-based one-time password (TOTP) feature. You’ll first need to have TOTP 2FA enabled in the account in question; check to see which accounts offer this feature at 2fa.directory. Once that’s all set, follow these steps for syncing your TOTP codes with your shared 1Password account, and these steps for syncing with BitWarden. Heads up, though, that even though storing TOTP in your password manager is one of the paths of least resistance for sharing your 2FA, this method doesn’t sit well with many security researchers. (On the other hand, as my colleague Martin puts it, “breaking into a password manager like 1Password is not trivial.”)

Dedicated 2FA applications like Authy seek to solve this problem by extending access to 2FA codes to multiple devices. However, expanding the number of access points for your 2FA also extends the attack surface bad actors can exploit when attempting to break into accounts. (Authy knows this, and yet some breaches still occur.) If you choose this method, make sure you maintain tight control over which devices can access to your 2FA codes by deleting any unrecognized devices and turning off any features that allow additional sharing.

These two methods assume, of course, that your account providers offer TOTP in the first place. For those that don’t, you may be able to create an account-specific email address that receives 2FA via email — our least favorite option, but some form of 2FA is better than nothing! Email forwarding can be deployed here to get that 2FA into the right hands, but be forewarned that the code will blast to all team members set to receive those forwards. At least you can protect all of those email addresses!

Before I sign off, I do want to note that it’s fair game to have a security strategy for shared accounts that’s different from the one you create for your own individual accounts. In other words, you can, for instance, decide that it’s okay to store TOTP in your password manager only in the event that the account is accessed by multiple people. Under any other circumstance, though, it’s prudent to find a separate channel for 2FA. (Here is our plug here for security keys, which we love very much.)

Thank you again for asking this great question! Hope to see you at another training sometime soon.

With all best wishes,

Davis Erin Anderson

Get Notified. Take Action