# MFA for shared accounts

How to set up MFA for shared accounts

---

Individual accounts with personal multifactor authentication (MFA) are the gold standard, but real team workflows don't always make that possible. When shared logins are unavoidable, the security of those accounts comes down to two things: where MFA codes are stored and who controls access. The answer to both is the same: secure the password and the time-based one-time password (TOTP) seed together in a controlled, encrypted vault, instead of on personal phones, in email threads, or in chat.

## How to set up MFA for shared accounts safely

Setting up MFA for shared accounts starts with one rule: the shared credential and its TOTP seed belong in one approved system, not scattered across personal devices or inboxes. Access is limited to authorized users, with a clear process for granting backup access, revoking access, and rotating secrets whenever team membership changes. This MFA configuration guide covers each of those steps in order.

### **Add the shared account login to a team vault**

Store the shared username and password in a [dedicated organizational vault](https://bitwarden.com/it-it/help/integrated-authenticator/). Assign access by [role or collection](https://bitwarden.com/it-it/help/collection-permissions/) so only the right users can retrieve the credential, and revoke it immediately when someone leaves or changes roles.

### **Save the TOTP secret or QR code in the same vault item**

When configuring MFA on the shared account, save the TOTP secret or QR code directly into the vault item alongside the login. The Bitwarden integrated authenticator for shared vault items generates codes from within the vault, so no team member needs a separate authenticator app to log in.

### **Limit access and test the shared login flow**

Before the workflow goes live, verify that every authorized user can retrieve both the password and the MFA code, and that unauthorized users cannot. Document who has access and set a regular review cadence to keep permissions current.

## MFA methods for shared accounts: a practical comparison

Not all MFA methods perform equally well in team settings. The table below shows where each option breaks down and where vault-based TOTP is stored.

| Shared SMS | Code goes to one phone; single point of failure; vulnerable to SIM-swapping attacks | Low-stakes personal accounts | Low |
|------|------|------|------|
| Shared email inbox | Inbox access is often broader than intended | Small teams with a monitored group inbox | Low |
| Hardware security key | Physical device must be present; difficult to share | High-privilege accounts with designated keyholders | Medium |
| Vault-based TOTP | Vault access must be configured correctly before rollout | Teams of any size managing shared credentials | High |

High admin control means admins can grant and revoke access to MFA codes at the user or role level without resetting the underlying account or touching the TOTP secret.

## Why SMS and email MFA fail under team conditions

When a code arrives on one person's phone or in a shared inbox, the entire team depends on that person being available. One out-of-office, and the account is unreachable. A lost phone or a compromised inbox puts both access and security at risk simultaneously.

## Why vault-based TOTP is more reliable for shared accounts

Storing MFA codes in a vault removes that dependency entirely. TOTP sharing through a vault lets authorized users generate codes directly, no forwarding, no waiting, no single point of failure.

When a team member leaves, [access is revoked in the vault rather than triggering a full MFA reset](https://bitwarden.com/it-it/help/revoke-users/) on the account. Teams that need shared two-factor authentication (2FA) across multiple logins benefit from the same approach: a single vault handles credential storage, access control, and secret rotation in one place.

When a team member leaves, access to the vault is revoked instead of having to reset the account's MFA.

## Access controls every shared MFA workflow needs

The controls that make shared MFA workable are the same ones that strengthen any shared credential workflow: auditability, least privilege, regular access reviews, and a fast deprovisioning process.

Least-privilege principles apply to shared MFA too. Not every user who needs the shared password also needs to manage the MFA configuration. [<u>Role-based vault access</u>](https://bitwarden.com/it-it/help/user-types-access-control/) lets admins keep those permissions separate.

Consider a marketing team that shares an ad platform login. One employee set up MFA on their personal phone when the account was created. When that employee leaves, the team loses access to the MFA codes. Resetting MFA on an active ad account can lock out campaigns mid-flight.

With vault-based TOTP sharing, the TOTP seed lives in the organizational vault, not on a personal device. Deprovisioning that employee means removing their vault access, not scrambling to recover MFA codes or interrupt active work.

> Deprovisioning an employee means removing vault access, not scrambling to recover MFA codes.

For a deeper look at structuring shared-credential workflows across teams, see "[<u>secure password sharing for organizations</u>](https://bitwarden.com/it-it/blog/password-sharing-with-organizations/)."

## Shared vault MFA checklist

Use this checklist to audit or build a shared MFA workflow for teams.

- Store all shared credentials and TOTP seeds in an approved organizational vault, not in personal authenticator apps, SMS, or chat.
- Restrict vault access to authorized users via role-based permissions or collections.
- Document who has access to each shared credential and review that list at least quarterly.
- Verify that every authorized user can retrieve the password and MFA code before the workflow goes live.
- Define rotation triggers: when a team member with vault access is deprovisioned, rotate the TOTP secret and password.
- Establish a backup access method (a secondary vault admin) so no single person is the sole keyholder.
- Test the deprovisioning process: confirm that removing vault access immediately prevents code retrieval.
- Log and review vault access events for shared credentials regularly.

## How Bitwarden supports shared account MFA

Shared MFA is only as secure as the platform managing it. Bitwarden Password Manager gives teams a single encrypted vault for shared credentials and TOTP code generation. The integrated authenticator functions as a team’s authenticator app, storing TOTP seeds directly in vault items so authorized users can generate codes without a separate app and without routing codes through personal devices or inboxes.

Role-based access and organizational collections give admins precise control. Grant or revoke credential access at the user or group level, deprovision a departing team member's access to shared logins and MFA codes in one step, and review vault event logs to see who accessed what and when.

> One vault. One access control model. One place to rotate secrets.

Bitwarden is a zero-knowledge encryption solution, meaning Bitwarden cannot read stored credentials or TOTP seeds. All encryption and decryption happen on the user's device. For teams evaluating business identity and access management options, Bitwarden supports the enterprise workflows that make shared account security practical at scale.

Ready to move shared MFA off personal devices and onto a controlled platform? Get started with a free trial of a Bitwarden [Teams or Enterprise plan](https://bitwarden.com/it-it/pricing/business/).

## Ottieni subito una sicurezza per le password potente e affidabile. Scegli il tuo piano.

## Personale

### Hai appena iniziato?

*Ottieni una gestione di base delle password oggi stesso. Sempre gratis.*

[Crea un account gratuito](https://bitwarden.com/go/start-free/)

---

### Premium

**$1.65** *al mese*

*Con fatturazione annuale a 19,80 USD*

Scopri le funzionalità premium

- Autenticatore integrato
- Allegati file
- Accesso di emergenza
- Blocco del phishing
- Report di sicurezza e altro

Condividi gli elementi della cassaforte con un altro utente

[Crea un account Premium](https://bitwarden.com/go/start-premium/)

---

### Famiglie

**$3.99** *al mese*

*Fino a 6 utenti, con fatturazione annuale a 47,88 USD*

Proteggi gli accessi della tua famiglia

- 6 account premium
- Condivisione illimitata
- Raccolte illimitate
- Spazio di archiviazione dell’organizzazione

Condividi gli elementi della cassaforte tra sei persone

[Inizia la prova gratuita per Famiglie](https://bitwarden.com/go/start-families-trial/)

---

Prezzi indicati in USD e basati su un abbonamento annuale. Tasse escluse.

## Business

### Teams

*Per team e aziende in crescita che devono muoversi rapidamente.*

**$4** *al mese / per utente, con fatturazione annuale*

**Nessun compromesso**

Tutte le funzionalità Premium, più funzionalità avanzate come:

- Condividi le credenziali in modo sicuro
- Controlla le attività con i log eventi
- Sincronizza la directory esistente
- Automatizza il provisioning con SCIM

[Avvia la prova gratuita](https://bitwarden.com/go/start-teams-trial/)

---

### Enterprise

*Per aziende che necessitano di protezione e controllo avanzati.*

**$6** *al mese / per utente, con fatturazione annuale*

**Massima protezione**

Tutte le funzionalità Premium e Teams, più funzionalità di livello enterprise come:

- Controllo granulare degli accessi
- Integrazione SSO senza password
- Recupero account semplificato
- Flessibilità di self-hosting
- Mitigazione dei rischi con Access Intelligence [novità]
- Piano Families gratuito per tutti gli utenti

[Avvia la prova gratuita](https://bitwarden.com/go/start-enterprise-trial/)

---

### Parla con le vendite

*Per le grandi organizzazioni, parla con un esperto di un piano su misura e scopri come Bitwarden può:*

*al mese*

- Ridurre il rischio di cybersecurity
- Aumentare la produttività
- Integrarsi perfettamente

Bitwarden si adatta ad aziende di qualsiasi dimensione per portare la sicurezza delle password nella tua organizzazione

[Parla con le vendite](https://bitwarden.com/talk-to-sales)

---

Prezzi indicati in USD e basati su un abbonamento annuale. Tasse escluse.