They need central custody of the credential and MFA factors, plus a workflow that preserves usability without giving users direct control over the secret. The goal is to make MFA mandatory and recoverable, not optional or dependent on one employee holding the only code.
Why This Matters for Security Teams
Shared business accounts are often treated as a convenience problem, but they are really an identity custody problem. If one person controls the password, one authenticator, or one recovery channel, MFA becomes fragile and easy to bypass when that employee is unavailable, leaves, or is pressured into revealing access. NIST’s NIST Cybersecurity Framework 2.0 reinforces that access control only works when governance is clear enough to sustain it during normal operations and recovery.
The risk is not theoretical. NHI Mgmt Group notes in the Ultimate Guide to Nonn Human Identities that 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage. Shared accounts concentrate that same failure mode into a single point of operational dependence. If MFA is set up in a way that any one user can disable, replace, or reset it, the organisation has not kept MFA in place at all. In practice, many security teams discover this only after an account is lost during staff turnover or an urgent handoff has already exposed the factor chain.
How It Works in Practice
The practical model is central custody plus controlled recovery. The organisation, not an individual employee, should own the shared credential, the MFA seed, and the recovery path. That usually means placing the secret in an approved vault, binding it to a business process, and requiring documented approval before release. For high-risk accounts, best practice is evolving toward passwordless or phishing-resistant factors, but where shared accounts still exist, the factor must be recoverable without becoming personally owned.
A workable setup typically includes:
- A vault or privileged access platform that stores the password and MFA recovery materials under administrative control.
- Time-bound access or checkout, so users receive the secret only for a defined task and lose access automatically afterward.
- Strong logging of who accessed the account, when it was used, and why it was needed.
- Backup recovery procedures that do not depend on a single person’s phone, email, or personal authenticator app.
- Periodic rotation of the shared secret and, where possible, re-enrollment of the MFA factor after major staff or vendor changes.
This is where NHI governance guidance becomes relevant. The Microsoft Midnight Blizzard breach is a useful reminder that long-lived access paths and weak control of credentials create durable exposure. Current guidance suggests treating shared business accounts like other sensitive NHIs: assign ownership, constrain use, monitor access, and remove direct human possession wherever possible. NIST CSF 2.0 supports the same operational direction by emphasizing controlled access and recoverable governance rather than informal sharing. These controls tend to break down when the account is used across multiple departments with no single business owner because accountability and recovery steps become inconsistent.
Common Variations and Edge Cases
Tighter custody often increases friction, requiring organisations to balance strong control against fast operational access. That tradeoff is real, especially for finance, support, and emergency break-glass accounts that multiple teams may need. For those accounts, the answer is not to weaken MFA, but to design around it with short approvals, delegated custodians, and audit-ready recovery steps.
There is no universal standard for this yet, but current guidance suggests a few distinctions matter. If the account is used by a small team, a centrally managed shared vault may be enough. If the account touches regulated data or privileged admin functions, separate factor custody from day-to-day user access and require higher-assurance recovery. If contractors or vendors need access, do not hand over the MFA factor directly; use bounded sessions or brokered access instead.
One common mistake is confusing shared account MFA with shared personal authentication. A group can share an account, but no single person should own the only factor. Another failure case is relying on SMS or a personal phone app that disappears when the employee leaves. Organisations that need durable control should prefer centrally managed authenticators, formal offboarding, and a documented recovery workflow. That approach is less convenient than ad hoc sharing, but it is the only way to keep MFA mandatory while preserving usability.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Shared accounts are NHI-style identities needing ownership and lifecycle control. |
| NIST CSF 2.0 | PR.AC-1 | Shared MFA depends on controlled, recoverable access authorization. |
| NIST AI RMF | Governance principles apply to accountability, traceability, and recovery. |
Centralize approval and enforce least-privilege access for shared business accounts.
