# MFA for shared accounts

How to set up MFA for shared accounts

---

Individual accounts with personal multifactor authentication (MFA) are the gold standard, but real team workflows don't always make that possible. When shared logins are unavoidable, the security of those accounts comes down to two things: where MFA codes are stored and who controls access. The answer to both is the same: secure the password and the time-based one-time password (TOTP) seed together in a controlled, encrypted vault, instead of on personal phones, in email threads, or in chat.

## How to set up MFA for shared accounts safely

Setting up MFA for shared accounts starts with one rule: the shared credential and its TOTP seed belong in one approved system, not scattered across personal devices or inboxes. Access is limited to authorized users, with a clear process for granting backup access, revoking access, and rotating secrets whenever team membership changes. This MFA configuration guide covers each of those steps in order.

### **Add the shared account login to a team vault**

Store the shared username and password in a [dedicated organizational vault](https://bitwarden.com/ja-jp/help/integrated-authenticator/). Assign access by [role or collection](https://bitwarden.com/ja-jp/help/collection-permissions/) so only the right users can retrieve the credential, and revoke it immediately when someone leaves or changes roles.

### **Save the TOTP secret or QR code in the same vault item**

When configuring MFA on the shared account, save the TOTP secret or QR code directly into the vault item alongside the login. The Bitwarden integrated authenticator for shared vault items generates codes from within the vault, so no team member needs a separate authenticator app to log in.

### **Limit access and test the shared login flow**

Before the workflow goes live, verify that every authorized user can retrieve both the password and the MFA code, and that unauthorized users cannot. Document who has access and set a regular review cadence to keep permissions current.

## MFA methods for shared accounts: a practical comparison

Not all MFA methods perform equally well in team settings. The table below shows where each option breaks down and where vault-based TOTP is stored.

| Shared SMS | Code goes to one phone; single point of failure; vulnerable to SIM-swapping attacks | Low-stakes personal accounts | Low |
|------|------|------|------|
| Shared email inbox | Inbox access is often broader than intended | Small teams with a monitored group inbox | Low |
| Hardware security key | Physical device must be present; difficult to share | High-privilege accounts with designated keyholders | Medium |
| Vault-based TOTP | Vault access must be configured correctly before rollout | Teams of any size managing shared credentials | High |

High admin control means admins can grant and revoke access to MFA codes at the user or role level without resetting the underlying account or touching the TOTP secret.

## Why SMS and email MFA fail under team conditions

When a code arrives on one person's phone or in a shared inbox, the entire team depends on that person being available. One out-of-office, and the account is unreachable. A lost phone or a compromised inbox puts both access and security at risk simultaneously.

## Why vault-based TOTP is more reliable for shared accounts

Storing MFA codes in a vault removes that dependency entirely. TOTP sharing through a vault lets authorized users generate codes directly, no forwarding, no waiting, no single point of failure.

When a team member leaves, [access is revoked in the vault rather than triggering a full MFA reset](https://bitwarden.com/ja-jp/help/revoke-users/) on the account. Teams that need shared two-factor authentication (2FA) across multiple logins benefit from the same approach: a single vault handles credential storage, access control, and secret rotation in one place.

When a team member leaves, access to the vault is revoked instead of having to reset the account's MFA.

## Access controls every shared MFA workflow needs

The controls that make shared MFA workable are the same ones that strengthen any shared credential workflow: auditability, least privilege, regular access reviews, and a fast deprovisioning process.

Least-privilege principles apply to shared MFA too. Not every user who needs the shared password also needs to manage the MFA configuration. [<u>Role-based vault access</u>](https://bitwarden.com/ja-jp/help/user-types-access-control/) lets admins keep those permissions separate.

Consider a marketing team that shares an ad platform login. One employee set up MFA on their personal phone when the account was created. When that employee leaves, the team loses access to the MFA codes. Resetting MFA on an active ad account can lock out campaigns mid-flight.

With vault-based TOTP sharing, the TOTP seed lives in the organizational vault, not on a personal device. Deprovisioning that employee means removing their vault access, not scrambling to recover MFA codes or interrupt active work.

> Deprovisioning an employee means removing vault access, not scrambling to recover MFA codes.

For a deeper look at structuring shared-credential workflows across teams, see "[<u>secure password sharing for organizations</u>](https://bitwarden.com/ja-jp/blog/password-sharing-with-organizations/)."

## Shared vault MFA checklist

Use this checklist to audit or build a shared MFA workflow for teams.

- Store all shared credentials and TOTP seeds in an approved organizational vault, not in personal authenticator apps, SMS, or chat.
- Restrict vault access to authorized users via role-based permissions or collections.
- Document who has access to each shared credential and review that list at least quarterly.
- Verify that every authorized user can retrieve the password and MFA code before the workflow goes live.
- Define rotation triggers: when a team member with vault access is deprovisioned, rotate the TOTP secret and password.
- Establish a backup access method (a secondary vault admin) so no single person is the sole keyholder.
- Test the deprovisioning process: confirm that removing vault access immediately prevents code retrieval.
- Log and review vault access events for shared credentials regularly.

## How Bitwarden supports shared account MFA

Shared MFA is only as secure as the platform managing it. Bitwarden Password Manager gives teams a single encrypted vault for shared credentials and TOTP code generation. The integrated authenticator functions as a team’s authenticator app, storing TOTP seeds directly in vault items so authorized users can generate codes without a separate app and without routing codes through personal devices or inboxes.

Role-based access and organizational collections give admins precise control. Grant or revoke credential access at the user or group level, deprovision a departing team member's access to shared logins and MFA codes in one step, and review vault event logs to see who accessed what and when.

> One vault. One access control model. One place to rotate secrets.

Bitwarden is a zero-knowledge encryption solution, meaning Bitwarden cannot read stored credentials or TOTP seeds. All encryption and decryption happen on the user's device. For teams evaluating business identity and access management options, Bitwarden supports the enterprise workflows that make shared account security practical at scale.

Ready to move shared MFA off personal devices and onto a controlled platform? Get started with a free trial of a Bitwarden [Teams or Enterprise plan](https://bitwarden.com/ja-jp/pricing/business/).

## 強力で信頼できるパスワードセキュリティを今すぐ。プランを選択してください。

## パーソナル

### 始めたばかりですか？

*今すぐ、基本的なパスワード管理を始めましょう。ずっと無料です。*

*月あたり*

*永久無料*

Bitwardenの保管庫を利用する

ボールトのアイテムを他の 1 人のユーザーと共有する

[今すぐ利用開始](https://bitwarden.com/go/start-free/)

---

### プレミアム

**$1.65** *月あたり*

*年間 $19.80 ドル請求されます*

プレミアム機能をお楽しみください

- Bitwarden 認証器
- ファイル添付
- 緊急アクセス
- フィッシング対策
- セキュリティレポートなど

ボールトのアイテムを他の 1 人のユーザーと共有する

[プレミアム アカウントを作成する](https://bitwarden.com/go/start-premium/)

---

### 家族

**$3.99** *月あたり*

*最大 6 ユーザー、年間 $47.88 請求されます*

あなたの家族のログインを保護してください

- 6 つのプレミアムアカウント
- 無制限の共有
- 無制限のコレクション
- 組織のストレージ

ボールトのアイテムを 6 人で共有する

[ファミリープランの無料トライアルを開始](https://bitwarden.com/go/start-families-trial/)

---

価格は米ドルで表示され、年間サブスクリプションに基づいています。税別。

## ビジネス

### チーム

*成長するチームのための強固な保護*

**$4** *月額/ユーザーごとに毎年請求*

**妥協なし**

同僚、部門間、または全社と安全に機密データを共有する

- 認証情報を安全に共有する
- イベントログでアクティビティを追跡する
- 既存のディレクトリを同期する
- SCIM によるプロビジョニングの自動化

すべてのユーザーにプレミアム機能を含む

[トライアルを開始する](https://bitwarden.com/go/start-teams-trial/)

---

### 企業

*大規模組織向けの高度な機能*

**$6** *月額/ユーザーごとに毎年請求*

**最大限の保護**

エンタープライズ ポリシー、パスワードなしの SSO、アカウントの回復などの高度な機能を利用する。

- きめ細かなアクセス制御
- パスワードレスSSO統合
- 簡単なアカウント回復
- セルフホストの柔軟性
- アクセス・インテリジェンスのリスク修復 [新規］
- すべてのユーザー向けの無料ファミリープラン

すべてのユーザー向けのプレミアム機能と補完的なファミリー プランが含まれる

[トライアルを開始する](https://bitwarden.com/go/start-enterprise-trial/)

---

### 営業に問い合わせる

*数百人または数千人の従業員を持つ企業のために、カスタム見積もりを取得するために営業に連絡し、Bitwarden がどのように役立つかを確認してください：*

*per month*

- サイバーセキュリティ リスクを軽減する
- 生産性を向上させる
- シームレスに統合する

Bitwarden は、パスワードのセキュリティを貴組織にもたらすために、どんな規模のビジネスにも対応する。

[営業に問い合わせる](https://bitwarden.com/talk-to-sales)

---

価格は米ドルで表示され、年間サブスクリプションに基づいています。税別。