Notifications
Clear all
Topic starter
06/06/2026 11:10 am
TL;DR: Account sharing breaks the identity-to-action link that MFA depends on, making authentication confirm a valid account rather than the person behind it, according to Imprivata. That gap turns shared credentials into an accountability and audit problem, not just a password problem, and it keeps surviving because workflow friction still rewards shortcuts.
NHIMG editorial — based on content published by Imprivata: Account sharing undermines even the strongest MFA by disconnecting identity from access
By the numbers:
- In 2025 alone, credential theft increased dramatically, contributing to approximately one in five data breaches.
- Industry research shows that identity-based attacks are now among the most common entry points for breaches, with credential stuffing accounting for up to 25% of authentication attempts in enterprise-sized companies.
Questions worth separating out
Q: How should security teams handle account sharing when MFA is already enabled?
A: Security teams should remove shared credentials rather than rely on MFA to compensate for them.
Q: Why does account sharing create such a large governance problem?
A: Account sharing breaks the link between identity and action, which means security teams lose accountability, forensic clarity, and compliance evidence.
Q: What do organisations get wrong about shared accounts in high-friction workflows?
A: They treat shared credentials as an efficiency shortcut instead of a control failure.
Practitioner guidance
- Eliminate shared credentials for privileged work Move administrative, maintenance, and break-glass activity to individual identities so every elevated action maps to one accountable user.
- Rebuild shared-workstation access around personal authentication Use fast sign-in methods such as passkeys, biometrics, or mobile approval flows so rotating staff can access the same device without using a common login.
- Test audit trails for attribution loss Review logs for any system where an action cannot be traced to a single human identity.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- Examples of shared-workstation and privileged-account patterns that create account-sharing pressure
- Identity-based authentication approaches that reduce friction without using shared credentials
- The specific ways MFA prompts, tokens, and devices get passed between users in real environments
- Why compliance and audit teams struggle when a login no longer maps to one person
👉 Read Imprivata's analysis of account sharing and MFA accountability →
Account sharing and MFA: why identity traceability breaks down?
Explore further
06/06/2026 11:48 am
Shared credentials are an accountability failure, not an authentication failure. MFA can still work mechanically while identity governance fails structurally, because the control no longer binds one person to one action. That means the organisation is measuring access completion instead of access attribution. The practitioner implication is that any programme built on shared logins is already accepting unverifiable activity as a normal state.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- That same research shows 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: What should teams do when privileged users resist moving away from shared logins?
A: They should replace the shared login with a faster individual access path and make the reporting value explicit. Privileged users usually resist because shared access feels simple, but investigations, recertification, and segregation of duties all depend on single-user attribution. That trade-off should be stated clearly in policy and workflow design.
👉 Read our full editorial: Account sharing weakens MFA by breaking identity accountability
