7

Is it possible to use SecurID 2FA for Highly Privileged shared accounts? I am currently using CyberArk to vault passwords for privileged accounts. when I checkout a password, I would like to make sure that this account has to 2FA to the endpoint. the problem that I see is that all of my admins share these accounts. To me, that means that they also have to share a token. this is not possible, because they are distributed across the country, and a bad practice anyway. Can their individual tokens be mapped to other vaulted accounts so that they can 2FA to the endpoints? is there any other solution?

user2219930
  • 101
  • 1
  • 2

3 Answers3

9

Regardless of whether it's "bad practice", it's entirely possible to share a TOTP "shared secret" (string or QR code) at the time it's created, at which point you can have multiple virtual OTP devices which will generate the same codes.

Andy Grimm
  • 191
  • 1
  • 2
9

Shared accounts are themselves a bad practice, because you cannot know who is actually doing the access. Each "administrator" should have his own account, to which you would grant administrator privileges.

2FA is about using two authentication methods concurrently, working over two distinct categories. The categories are: "something you know", "something you own" and "something you are". Knowledge can be shared (i.e. two different persons may know the same password -- a bad practice, as I said above, but still feasible). The two other factors are intrinsically bound to physical individuals; for instance, if using a physical token ("something you own"), then that token can be in the hands of only one person at a time, which is the whole point.

Therefore, if you use two authentication factors, then at least one of them cannot be shared. It follows that 2FA is intrinsically incompatible, at a conceptual level, with a shared account. The consequence is that if you succeed in having a shared account, then you are not using 2FA (you might get a cheap plastic imitation of 2FA, but not the real thing).

Don't use shared accounts. Shared accounts are evil.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • I agree that shared accounts are bas, but there is an existing infrastructure that I cannot change. to mitigate some risk, I am using CyberArk to manage the shared accounts. Root, for example. my Admins log into CyberArk, get a password, then do the work they need to do with the credentials. I would still like to use SecurID to 2FA...Can it be done? – user2219930 Apr 01 '14 at 18:08
  • That makes sense. 2FA is supposed to represent something you own. So if you want to share it, you have to share the physical phone or fob or whatever it is among several people at the office. – Flimm Sep 18 '15 at 13:16
0

Best way to do this in CyberArk is : Use an 'Exclusive' Platform Policy. With this enabled, you'll always have information which of the shared users was using the account at a particular time. Hope this explains

Rahul Kundu
  • 1