# MFA for shared accounts

How to set up MFA for shared accounts

---

Individual accounts with personal multifactor authentication (MFA) are the gold standard, but real team workflows don't always make that possible. When shared logins are unavoidable, the security of those accounts comes down to two things: where MFA codes are stored and who controls access. The answer to both is the same: secure the password and the time-based one-time password (TOTP) seed together in a controlled, encrypted vault, instead of on personal phones, in email threads, or in chat.

## How to set up MFA for shared accounts safely

Setting up MFA for shared accounts starts with one rule: the shared credential and its TOTP seed belong in one approved system, not scattered across personal devices or inboxes. Access is limited to authorized users, with a clear process for granting backup access, revoking access, and rotating secrets whenever team membership changes. This MFA configuration guide covers each of those steps in order.

### **Add the shared account login to a team vault**

Store the shared username and password in a [dedicated organizational vault](https://bitwarden.com/pt-br/help/integrated-authenticator/). Assign access by [role or collection](https://bitwarden.com/pt-br/help/collection-permissions/) so only the right users can retrieve the credential, and revoke it immediately when someone leaves or changes roles.

### **Save the TOTP secret or QR code in the same vault item**

When configuring MFA on the shared account, save the TOTP secret or QR code directly into the vault item alongside the login. The Bitwarden integrated authenticator for shared vault items generates codes from within the vault, so no team member needs a separate authenticator app to log in.

### **Limit access and test the shared login flow**

Before the workflow goes live, verify that every authorized user can retrieve both the password and the MFA code, and that unauthorized users cannot. Document who has access and set a regular review cadence to keep permissions current.

## MFA methods for shared accounts: a practical comparison

Not all MFA methods perform equally well in team settings. The table below shows where each option breaks down and where vault-based TOTP is stored.

| Shared SMS | Code goes to one phone; single point of failure; vulnerable to SIM-swapping attacks | Low-stakes personal accounts | Low |
|------|------|------|------|
| Shared email inbox | Inbox access is often broader than intended | Small teams with a monitored group inbox | Low |
| Hardware security key | Physical device must be present; difficult to share | High-privilege accounts with designated keyholders | Medium |
| Vault-based TOTP | Vault access must be configured correctly before rollout | Teams of any size managing shared credentials | High |

High admin control means admins can grant and revoke access to MFA codes at the user or role level without resetting the underlying account or touching the TOTP secret.

## Why SMS and email MFA fail under team conditions

When a code arrives on one person's phone or in a shared inbox, the entire team depends on that person being available. One out-of-office, and the account is unreachable. A lost phone or a compromised inbox puts both access and security at risk simultaneously.

## Why vault-based TOTP is more reliable for shared accounts

Storing MFA codes in a vault removes that dependency entirely. TOTP sharing through a vault lets authorized users generate codes directly, no forwarding, no waiting, no single point of failure.

When a team member leaves, [access is revoked in the vault rather than triggering a full MFA reset](https://bitwarden.com/pt-br/help/revoke-users/) on the account. Teams that need shared two-factor authentication (2FA) across multiple logins benefit from the same approach: a single vault handles credential storage, access control, and secret rotation in one place.

When a team member leaves, access to the vault is revoked instead of having to reset the account's MFA.

## Access controls every shared MFA workflow needs

The controls that make shared MFA workable are the same ones that strengthen any shared credential workflow: auditability, least privilege, regular access reviews, and a fast deprovisioning process.

Least-privilege principles apply to shared MFA too. Not every user who needs the shared password also needs to manage the MFA configuration. [<u>Role-based vault access</u>](https://bitwarden.com/pt-br/help/user-types-access-control/) lets admins keep those permissions separate.

Consider a marketing team that shares an ad platform login. One employee set up MFA on their personal phone when the account was created. When that employee leaves, the team loses access to the MFA codes. Resetting MFA on an active ad account can lock out campaigns mid-flight.

With vault-based TOTP sharing, the TOTP seed lives in the organizational vault, not on a personal device. Deprovisioning that employee means removing their vault access, not scrambling to recover MFA codes or interrupt active work.

> Deprovisioning an employee means removing vault access, not scrambling to recover MFA codes.

For a deeper look at structuring shared-credential workflows across teams, see "[<u>secure password sharing for organizations</u>](https://bitwarden.com/pt-br/blog/password-sharing-with-organizations/)."

## Shared vault MFA checklist

Use this checklist to audit or build a shared MFA workflow for teams.

- Store all shared credentials and TOTP seeds in an approved organizational vault, not in personal authenticator apps, SMS, or chat.
- Restrict vault access to authorized users via role-based permissions or collections.
- Document who has access to each shared credential and review that list at least quarterly.
- Verify that every authorized user can retrieve the password and MFA code before the workflow goes live.
- Define rotation triggers: when a team member with vault access is deprovisioned, rotate the TOTP secret and password.
- Establish a backup access method (a secondary vault admin) so no single person is the sole keyholder.
- Test the deprovisioning process: confirm that removing vault access immediately prevents code retrieval.
- Log and review vault access events for shared credentials regularly.

## How Bitwarden supports shared account MFA

Shared MFA is only as secure as the platform managing it. Bitwarden Password Manager gives teams a single encrypted vault for shared credentials and TOTP code generation. The integrated authenticator functions as a team’s authenticator app, storing TOTP seeds directly in vault items so authorized users can generate codes without a separate app and without routing codes through personal devices or inboxes.

Role-based access and organizational collections give admins precise control. Grant or revoke credential access at the user or group level, deprovision a departing team member's access to shared logins and MFA codes in one step, and review vault event logs to see who accessed what and when.

> One vault. One access control model. One place to rotate secrets.

Bitwarden is a zero-knowledge encryption solution, meaning Bitwarden cannot read stored credentials or TOTP seeds. All encryption and decryption happen on the user's device. For teams evaluating business identity and access management options, Bitwarden supports the enterprise workflows that make shared account security practical at scale.

Ready to move shared MFA off personal devices and onto a controlled platform? Get started with a free trial of a Bitwarden [Teams or Enterprise plan](https://bitwarden.com/pt-br/pricing/business/).

## Tenha agora uma segurança de senhas poderosa e confiável. Escolha seu plano.

## Pessoal

### Acabou de começar?

*Obtenha o gerenciamento básico de senhas hoje mesmo. Sempre gratuito.*

[Criar conta gratuita](https://bitwarden.com/go/start-free/)

---

### Premium

**$1.65** *por mês*

*Cobrado anualmente por US$ 19,80*

Aproveite recursos premium

- Autenticador integrado
- Anexos de arquivos
- Acesso de emergência
- Bloqueador de phishing
- Relatórios de segurança e muito mais

Compartilhe itens do cofre com mais um usuário

[Criar conta Premium](https://bitwarden.com/go/start-premium/)

---

### Famílias

**$3.99** *por mês*

*Até 6 usuários, cobrado anualmente por US$ 47,88*

Proteja os logins da sua família

- 6 contas premium
- Compartilhamento ilimitado
- Coleções ilimitadas
- Armazenamento da organização

Compartilhe itens do cofre entre seis pessoas

[Iniciar teste gratuito do Families](https://bitwarden.com/go/start-families-trial/)

---

Preços exibidos em USD e baseados em uma assinatura anual. Impostos não incluídos.

## Empresas

### Teams

*Para equipes e empresas em crescimento que precisam avançar rapidamente.*

**$4** *por mês / por usuário, cobrado anualmente*

**Sem concessões**

Todos os recursos Premium, além de recursos avançados como:

- Compartilhe credenciais com segurança
- Audite atividades com logs de eventos
- Sincronize seu diretório existente
- Automatize o provisionamento com SCIM

[Iniciar teste gratuito](https://bitwarden.com/go/start-teams-trial/)

---

### Enterprise

*Para empresas que precisam de proteção e controle avançados.*

**$6** *por mês / por usuário, cobrado anualmente*

**Proteção máxima**

Todos os recursos Premium e Teams, além de recursos de nível empresarial como:

- Controle de acesso granular
- Integração com SSO sem senha
- Recuperação de conta fácil
- Flexibilidade para auto-hospedagem
- Remediação de riscos com o Access Intelligence [novo]
- Plano Families gratuito para todos os usuários

[Iniciar teste gratuito](https://bitwarden.com/go/start-enterprise-trial/)

---

### Fale com Vendas

*Para grandes organizações, fale com um especialista sobre um plano sob medida e saiba como a Bitwarden pode:*

*por mês*

- Reduzir riscos de cibersegurança
- Aumentar a produtividade
- Integrar-se perfeitamente

A Bitwarden se adapta a empresas de qualquer porte para levar segurança de senhas à sua organização

[Fale com Vendas](https://bitwarden.com/talk-to-sales)

---

Preços exibidos em USD e com base em uma assinatura anual. Impostos não incluídos.