Ask HN: How does your team share OTPs?

3 points by obventio56 ↗ HN
Previously I assumed that for most platforms sharing accounts (and OTPs) was some sort of TOS violation and wouldn't take place in a corporate setting. I have since become aware that sharing OTPs within a company or team is fairly commonplace, and sometimes involves very creative solutions. Does this happen at your company/team, and what solutions do you use?

7 comments

[ 4.4 ms ] story [ 55.0 ms ] thread
To kickoff my own post, solutions I've seen include:

- Using a Google Voice phone number to receive codes and forward them to an email list.

- Using a texting SasS to receive codes (the SaaS, of course, can't require 2FA itself otherwise you're in a pickle)

- DMing the account owner on Slack

- Saving the TOTP key in a password manager

Most of these solutions seem to defeat the purpose of 2FA in the first place.

I assumed this is implemented by people that don't know better. Why would you want to promote this instead of normal multi-user solution?
Workarounds are usually just a symptoms of an institutional issue - broken tooling, missing functionality, bad UI...I'd be surprised if people wouldn't use a proper solution if it were available, especially considering the hoops they are willing to jump to do it wrong
I think ignorance is a factor, but also legitimate multi-user solutions might involve a lot more friction than these workarounds (or not exist at all).

Say I have 300 employees and 10% will eventually need to access an account (random sample, unknowable beforehand). Does it make sense to have all 300 create accounts vs just putting the info in a password manager for the 10% and calling it a day?

Of course at this point you should just disable 2FA if you're going to defeat all it's security benefits, but more and more 2FA isn't optional.

We don’t. We do use secure password vault solutions for passwords themselves, which includes auto-rotation after a short period of time that you check the password out, as well as normal auto-rotation on a regular schedule.

But we don’t share any OTPs.

This is the kind of setup I would expect. What kind of place do you work (big/small, tech/not)?

This is the kind of obstacle I assume big tech companies have worked out extremely well, but small-midsized non-tech companies probably get horribly wrong.

If I tell you where I work, then I can’t tell you anything more about the technology.

Suffice it to say that the Enterprise solution of CyberArk Password Vault might be tolerable for a pure Windows shop, I believe that it is most unwelcome in a mixed platform shop. I deal with it as little as possible. I’m sure it ticks all the boxes that the security guys and bean counters want, but it is most unpleasant to deal with at the pointy end of the stick.

Amazon-style hardware tokens work really well, in my experience. But they can’t be used for shared or vaulted password solutions.