Ask HN: How does your team share OTPs?
Previously I assumed that for most platforms sharing accounts (and OTPs) was some sort of TOS violation and wouldn't take place in a corporate setting. I have since become aware that sharing OTPs within a company or team is fairly commonplace, and sometimes involves very creative solutions. Does this happen at your company/team, and what solutions do you use?
7 comments
[ 4.4 ms ] story [ 55.0 ms ] thread- Using a Google Voice phone number to receive codes and forward them to an email list.
- Using a texting SasS to receive codes (the SaaS, of course, can't require 2FA itself otherwise you're in a pickle)
- DMing the account owner on Slack
- Saving the TOTP key in a password manager
Most of these solutions seem to defeat the purpose of 2FA in the first place.
Say I have 300 employees and 10% will eventually need to access an account (random sample, unknowable beforehand). Does it make sense to have all 300 create accounts vs just putting the info in a password manager for the 10% and calling it a day?
Of course at this point you should just disable 2FA if you're going to defeat all it's security benefits, but more and more 2FA isn't optional.
But we don’t share any OTPs.
This is the kind of obstacle I assume big tech companies have worked out extremely well, but small-midsized non-tech companies probably get horribly wrong.
Suffice it to say that the Enterprise solution of CyberArk Password Vault might be tolerable for a pure Windows shop, I believe that it is most unwelcome in a mixed platform shop. I deal with it as little as possible. I’m sure it ticks all the boxes that the security guys and bean counters want, but it is most unpleasant to deal with at the pointy end of the stick.
Amazon-style hardware tokens work really well, in my experience. But they can’t be used for shared or vaulted password solutions.