2-step verification solutions provide an often-necessary extra layer of security for a variety of login processes, including software and web-based credential verifications. While 2-step verification enhances security for a single user, how does one manage the logins for multiple users/accounts?
Let me provide an example. Let’s say you work for an MSP (Managed Services Provider) and have multiple clients that are using 2-step verification to protect their emails and other platforms. Your support team needs access to these accounts regularly to perform admin functions, but you keep running into issues when trying to login due to the enabled 2-step verification on each account.
This issue is complicated enough in SMB’s, but as a company expands and more users are added to your scope of responsibility, many of the typical solutions for managing client’s 2-step verifications become obsolete.
As an MSP, you want to retain full control over the 2-step verification process, while ensuring that your clients/customers can have some freedom of editing 2-step verification settings (within reason). Furthermore, you should address some possible worst-case scenarios, such as a disgruntled former employee having access to client data from their personal devices. Depending on how your MSP is run, there may already be some form of exit strategy/procedure for employees who are terminated, such as changing all passwords (not an ideal way, just an example).
Regardless of how your MSP is set up, let’s get back to the original issue at hand, how can you efficiently manage all of your client’s 2-step verification processes?
Probably the easiest to set up (yet most challenging to manage and secure) solution would to merely have the 2-step verification codes sent from the customer to you, the MSP (via email, text, etc.) It is essential to understand the drawbacks of using this method, such as relying on the customer to be able to send you the verification code and the security risks of transmitting a password over an unsecured channel.
Pros: No need to set up any additional procedures for accessing/managing the client’s 2-step verification process.
Cons: Relying on a customer to be available to send you the code is not optimal, nor is not controlling which channel he/she sends it on; emails, for example, are common security weak points.
Store an ‘app-specific password’ in your documentation, and use that as the primary login information.
Pros: Can log in without dealing with 2-step verification prompts.
Cons: This password can be copied and negates the whole security aspect of 2-step verification.
Store the QR (Quick Response) code in your documentation, if you need access to this account, scan the QR code into a personal device using Google Authenticator or equivalent, and use the 2-step verification code to log in.
Pros: Can log in consistently, but adds some additional time of having to scan the QR code in when needing to access the account.
Cons: Unable to verify that the user has deleted the client’s 2-step verification code from a personal device. Unable to control who has access to these accounts.
There are numerous third-party solutions which can perform managing and storing multiple passwords, QR codes, user info, etc. While the features of each product vary, their primary function revolves around only requiring one password to access all of your accounts, including 2-step verification notifications. Check out apps such as Google Authenticator, Twilio Authy, Duo Mobile, and LastPass Authenticator, to name a few.
The most significant feature of using a third-party app to manage your client’s login info is the ability to change the login info for the third-party app, quickly. So, next time you fire an employee for excess meme-usage, you can safeguard both your logins, as well as your client’s, in a matter of seconds.
Pros: Increased security, accessibility, and scalability.
Cons: You lose master control, and these third-party services can be quite costly.
These are, by far, not the only methods to accomplish managing an extensive collection of accounts using 2-factor authentication, but they should get you started in the right direction. Hope it helps.