Omsätt insikter i handling: Bitwarden Access Intelligence är nu tillgängligt Läs mer >

Bitwarden-resurser

MFA for shared accounts

How to set up MFA for shared accounts

Individual accounts with personal multifactor authentication (MFA) are the gold standard, but real team workflows don't always make that possible. When shared logins are unavoidable, the security of those accounts comes down to two things: where MFA codes are stored and who controls access. The answer to both is the same: secure the password and the time-based one-time password (TOTP) seed together in a controlled, encrypted vault, instead of on personal phones, in email threads, or in chat.

How to set up MFA for shared accounts safely

Setting up MFA for shared accounts starts with one rule: the shared credential and its TOTP seed belong in one approved system, not scattered across personal devices or inboxes. Access is limited to authorized users, with a clear process for granting backup access, revoking access, and rotating secrets whenever team membership changes. This MFA configuration guide covers each of those steps in order.

Add the shared account login to a team vault

Store the shared username and password in a dedicated organizational vault. Assign access by role or collection so only the right users can retrieve the credential, and revoke it immediately when someone leaves or changes roles.

Save the TOTP secret or QR code in the same vault item

When configuring MFA on the shared account, save the TOTP secret or QR code directly into the vault item alongside the login. The Bitwarden integrated authenticator for shared vault items generates codes from within the vault, so no team member needs a separate authenticator app to log in.

Limit access and test the shared login flow

Before the workflow goes live, verify that every authorized user can retrieve both the password and the MFA code, and that unauthorized users cannot. Document who has access and set a regular review cadence to keep permissions current.

MFA methods for shared accounts: a practical comparison

Not all MFA methods perform equally well in team settings. The table below shows where each option breaks down and where vault-based TOTP is stored.

High admin control means admins can grant and revoke access to MFA codes at the user or role level without resetting the underlying account or touching the TOTP secret.

Why SMS and email MFA fail under team conditions

When a code arrives on one person's phone or in a shared inbox, the entire team depends on that person being available. One out-of-office, and the account is unreachable. A lost phone or a compromised inbox puts both access and security at risk simultaneously.

Why vault-based TOTP is more reliable for shared accounts

Storing MFA codes in a vault removes that dependency entirely. TOTP sharing through a vault lets authorized users generate codes directly, no forwarding, no waiting, no single point of failure.

When a team member leaves, access is revoked in the vault rather than triggering a full MFA reset on the account. Teams that need shared two-factor authentication (2FA) across multiple logins benefit from the same approach: a single vault handles credential storage, access control, and secret rotation in one place.

When a team member leaves, access to the vault is revoked instead of having to reset the account's MFA.

Access controls every shared MFA workflow needs

The controls that make shared MFA workable are the same ones that strengthen any shared credential workflow: auditability, least privilege, regular access reviews, and a fast deprovisioning process.

Least-privilege principles apply to shared MFA too. Not every user who needs the shared password also needs to manage the MFA configuration. Role-based vault access lets admins keep those permissions separate.

Consider a marketing team that shares an ad platform login. One employee set up MFA on their personal phone when the account was created. When that employee leaves, the team loses access to the MFA codes. Resetting MFA on an active ad account can lock out campaigns mid-flight.

With vault-based TOTP sharing, the TOTP seed lives in the organizational vault, not on a personal device. Deprovisioning that employee means removing their vault access, not scrambling to recover MFA codes or interrupt active work.

Deprovisioning an employee means removing vault access, not scrambling to recover MFA codes.

For a deeper look at structuring shared-credential workflows across teams, see "secure password sharing for organizations."

Shared vault MFA checklist

Use this checklist to audit or build a shared MFA workflow for teams.

  • Store all shared credentials and TOTP seeds in an approved organizational vault, not in personal authenticator apps, SMS, or chat.

  • Restrict vault access to authorized users via role-based permissions or collections.

  • Document who has access to each shared credential and review that list at least quarterly.

  • Verify that every authorized user can retrieve the password and MFA code before the workflow goes live.

  • Define rotation triggers: when a team member with vault access is deprovisioned, rotate the TOTP secret and password.

  • Establish a backup access method (a secondary vault admin) so no single person is the sole keyholder.

  • Test the deprovisioning process: confirm that removing vault access immediately prevents code retrieval.

  • Log and review vault access events for shared credentials regularly.

How Bitwarden supports shared account MFA

Shared MFA is only as secure as the platform managing it. Bitwarden Password Manager gives teams a single encrypted vault for shared credentials and TOTP code generation. The integrated authenticator functions as a team’s authenticator app, storing TOTP seeds directly in vault items so authorized users can generate codes without a separate app and without routing codes through personal devices or inboxes.

Role-based access and organizational collections give admins precise control. Grant or revoke credential access at the user or group level, deprovision a departing team member's access to shared logins and MFA codes in one step, and review vault event logs to see who accessed what and when.

One vault. One access control model. One place to rotate secrets.

Bitwarden is a zero-knowledge encryption solution, meaning Bitwarden cannot read stored credentials or TOTP seeds. All encryption and decryption happen on the user's device. For teams evaluating business identity and access management options, Bitwarden supports the enterprise workflows that make shared account security practical at scale.

Ready to move shared MFA off personal devices and onto a controlled platform? Get started with a free trial of a Bitwarden Teams or Enterprise plan.

Få kraftfull, pålitlig lösenordssäkerhet nu. Välj din plan.