Managing 2FA access for your services across your brigade leadership team

For brigades who have multiple people accessing your brigade’s services (Email, social, services like aws, etc)
how do you manage your services that require 2FA/MFA (2 factor authentication)?

Passwords can be shared securely through password managers (1password, lastpass, etc) but have you found anything more effective besides relaying SMS codes with each other.

In general it is a bad security practice to share passwords so I avoid it as much as possible. Most online services let you create individual accounts for each user so we try to do that. For the few where we cannot avoid it due to the fact they don’t offer multiple accounts (or charge a lot for them) we usually have the person who uses it most own the second factor and then text or slack it if someone else needs.

At Code for Philly we self-host an instance of VaultWarden (which is a lighter-weight implementation of the open source BitWarden). For those without an appetite for self-hosting, the BitWarden SaaS solution is a great offering.

BitWarden has really good orgs/collections structuring for shared credentials, and has support within any shared credential to set up a 2FA code generator: Bitwarden Authenticator (TOTP) | Bitwarden Help & Support

Basically when going through the 2FA setup process for any service, instead of using the QR code there will usually be a “set up manually” link which will give you the code string that’s inside the QR code, which you can paste into the BitWarden entry for the credential and then the BitWarden UI can generate auth codes for anyone viewing it.

I know sharing credentials is generally frowned upon, but in practice brigades have a lot of volunteer turnover and having to figure out who has access to a system and chase down getting them to send out invites is a major source of halted initiative. If you have a well-structured leadership team you can get strict about making sure every such service has a critical mass of leaders invited with admin access, and then make sure you document that those accounts exist somewhere and who has admin. But honestly I think in most cases in practice it’s better to have a well-regulated central password vault with organized groups/teams, and then put shared accounts to services in there. Maybe don’t do that for GCP/AWS accounts that spend a lot of money and are big targets for hackers, but for everything else the risk of breach vs risk of stomping out initiative equation I think leans a lot more strongly towards making sure people can get into things with minimal friction. We’re not paying people so we don’t have as much margin for frustrating access control as a corporate environment

Think about the story of adding someone to your leadership team. Do you want them to by default have access to nothing until they hit a hurdle and then have to do the labor of chasing someone down? A better setup is that you have a couple shared collections of credentials in BitWarden that you grant new leaders access to some set of while onboarding them, and then they have everything they need, with some carveouts for especially high-risk systems

1 Like

Great points y’all; especially Chris for such a detailed answer and noting that tradeoffs as well.