Best way for > 1 person to access a mailbox with Google Workspace
January 23, 2024 5:19 PM Subscribe
I'm volunteering with an org that has Google Workspace for non-profits.
There is generic mailbox (info@xxxx) where more than one person needs access to read mail sent to it and send mail from that address.
We have already been burned by an older set up where we just had a Gmail account, and the creator set up 2FA with their Android phone, and then couldn't be easily found when another person wanted to log in.
Delegation is a problem because not everyone who needs access to this mail has a personal Gmail account. Also our experience is delegation is flaky.
Our Workspace account provides for 5 users, so we're keen to minimise the number of accounts we hand out.
What are our best options for sharing access to the info@xxxx mail that aren't just "give folks the password and don't worry about 2FA for logins and changes"?
We have already been burned by an older set up where we just had a Gmail account, and the creator set up 2FA with their Android phone, and then couldn't be easily found when another person wanted to log in.
Delegation is a problem because not everyone who needs access to this mail has a personal Gmail account. Also our experience is delegation is flaky.
Our Workspace account provides for 5 users, so we're keen to minimise the number of accounts we hand out.
What are our best options for sharing access to the info@xxxx mail that aren't just "give folks the password and don't worry about 2FA for logins and changes"?
Have you looked at the collaborative inbox option? Every user will need a Google account (but not necessarily a Gmail account).
Otherwise, turning off 2FA and sharing a password is certainly the easiest solution. If you use a strong password and don't have sophisticated enemies trying to break into your email, this is really not a bad solution. Presumably someone manages the Workspace account and can help resetting the password if needed.
posted by ssg at 9:05 PM on January 23 [4 favorites]
Otherwise, turning off 2FA and sharing a password is certainly the easiest solution. If you use a strong password and don't have sophisticated enemies trying to break into your email, this is really not a bad solution. Presumably someone manages the Workspace account and can help resetting the password if needed.
posted by ssg at 9:05 PM on January 23 [4 favorites]
Use a desktop client such as Outlook or Thunderbird. Login on everyone's PC to the same account. Only need 2FA once.
posted by JohnnyGunn at 9:06 PM on January 23
posted by JohnnyGunn at 9:06 PM on January 23
You want Groups. Set them up at https://admin.google.com/ac/groups and add whoever you want to receive the emails. Then set the access so that members can view conversations and anyone can post. The members don't even need to be part of your Workspace.
Members can control whether messages are sent to them or if they have to check the 'group inbox' and can even be set up to send from the group's email address.
posted by gible at 9:08 PM on January 23 [3 favorites]
Members can control whether messages are sent to them or if they have to check the 'group inbox' and can even be set up to send from the group's email address.
posted by gible at 9:08 PM on January 23 [3 favorites]
Response by poster: Just to be clear, when I say "volunteer org" I mean barebones loose collective. Folks are using their own computers. They all have Google accounts, but not necessarily GMail addresses.
posted by i_am_joe's_spleen at 9:24 PM on January 23
posted by i_am_joe's_spleen at 9:24 PM on January 23
2FA for gmail can be done with google authenticator or a similar app, so in theory more than one person should be able to use the account without losing 2FA protections.
posted by inexorably_forward at 1:29 AM on January 24
posted by inexorably_forward at 1:29 AM on January 24
This page has instructions for shared two-factor authentication for an email account in Google Workspace.
I can't vouch for that because I haven't tried it and can't say for certain if it is a good idea. However I can say that it is perfectly possible to set up two or more gmail accounts that you use for different purposes. I have 2 or 3 set up on my phone, 2 or 3 I use via the web interface (you can use all of them at once just by switching from window to window), and most email apps like Thunderbird will allow for multiple email accounts.
Point is, people still keep their personal accounts however they like - this is a new, shared, email account they can all install and check regularly.
Also (probably a better setup, though a bit more complex) you can set up gmail/Workplaces to delegate certain people to have access to an account. They have permission to go in and do certain things like read and reply to messages.
And you can set up an actual Collaborative Inbox under Google Groups, as gible mentioned above.
This page has links and instructions for both of those techniques - delegating and Collaborative Inbox.
I haven't personally done either of these, either, but they sound like they would work well and would be a higher-recommended approach than simply sharing a single account for several reasons.
Working for a small nonprofit you never think you're going to have to deal with sensitive information, an employee setting out to destroy vital information or otherwise undermine the company, or anything of that type.
But I can tell you, these small organizations are were people can get really made and do really mean things to each other, often without much warning. So just for example, if the login is shared then one person could delete the account, take full control of it, or do a bunch of other things that might harm the organization.
But if you have the delegation or Collaborative Inbox approach, each person has more appropriate permissions. They can do what they need to but they can't "take over" or lock others out. When they leave the organization you can just remove their access and everyone else proceeds as normal.
In short, better and smarter approaches though a bit of a pain to set up initially.
posted by flug at 3:00 AM on January 24 [3 favorites]
I can't vouch for that because I haven't tried it and can't say for certain if it is a good idea. However I can say that it is perfectly possible to set up two or more gmail accounts that you use for different purposes. I have 2 or 3 set up on my phone, 2 or 3 I use via the web interface (you can use all of them at once just by switching from window to window), and most email apps like Thunderbird will allow for multiple email accounts.
Point is, people still keep their personal accounts however they like - this is a new, shared, email account they can all install and check regularly.
Also (probably a better setup, though a bit more complex) you can set up gmail/Workplaces to delegate certain people to have access to an account. They have permission to go in and do certain things like read and reply to messages.
And you can set up an actual Collaborative Inbox under Google Groups, as gible mentioned above.
This page has links and instructions for both of those techniques - delegating and Collaborative Inbox.
I haven't personally done either of these, either, but they sound like they would work well and would be a higher-recommended approach than simply sharing a single account for several reasons.
Working for a small nonprofit you never think you're going to have to deal with sensitive information, an employee setting out to destroy vital information or otherwise undermine the company, or anything of that type.
But I can tell you, these small organizations are were people can get really made and do really mean things to each other, often without much warning. So just for example, if the login is shared then one person could delete the account, take full control of it, or do a bunch of other things that might harm the organization.
But if you have the delegation or Collaborative Inbox approach, each person has more appropriate permissions. They can do what they need to but they can't "take over" or lock others out. When they leave the organization you can just remove their access and everyone else proceeds as normal.
In short, better and smarter approaches though a bit of a pain to set up initially.
posted by flug at 3:00 AM on January 24 [3 favorites]
The shared account approach really doesn't scale beyond the smallest setups. Even just keeping track of who has access is a pain, and removing access from someone who moved on becomes a whole thing of password resets and coordination. Not using 2FA is a bad idea to begin with, you'll have a hard time keeping someone from enabling it, and Google may still prompt for additional info if it finds anything potentially suspicious about a login, while getting everyone setup to use google authenticator on their own phones sounds darn annoying unless you all have a shared password manager already. And the worst-case scenario is someone gets hostile and starts sending out nasty emails and you have no idea who they are because everyone is sharing one login, tries to lock others out of the account, or otherwise does something nasty, and you have a mess on your hands.
This is really what delegation/shared inboxes is for, or possibly groups as mentioned above. If people don't have a personal gmail address, it's free, so they can just create one solely for this purpose. What flakiness have you experienced with it in the past?
If you're a legally recognized non-profit, you can get more than 5 accounts for free through Google for Nonprofits, but I recognize your barebones loose collective might not be that.
Another approach might be to look at helpdesk/customer service/shared inbox systems. This may be overkill if you don't get a lot of mail, but it's how larger orgs often handle these kinds of communications, and there are some options that provide free plans of varying capabilities. I'd look at the free plans from Freshdesk, HubSpot Service Hub, or Zoho Desk (if I'm reading this right, HubSpot seems to maybe allow for unlimited users sharing one inbox on their free plan, which seems ideal). Getting this setup would be more work to configure the software and forward email into it, but if the volume of messages warrants it or you have someone who's used to setting this kind of stuff up, it would get you on a platform intended to manage inbound communications, with features like assigning conversations to people and keeping track of what's resolved and what's still pending.
posted by zachlipton at 3:11 AM on January 24
This is really what delegation/shared inboxes is for, or possibly groups as mentioned above. If people don't have a personal gmail address, it's free, so they can just create one solely for this purpose. What flakiness have you experienced with it in the past?
If you're a legally recognized non-profit, you can get more than 5 accounts for free through Google for Nonprofits, but I recognize your barebones loose collective might not be that.
Another approach might be to look at helpdesk/customer service/shared inbox systems. This may be overkill if you don't get a lot of mail, but it's how larger orgs often handle these kinds of communications, and there are some options that provide free plans of varying capabilities. I'd look at the free plans from Freshdesk, HubSpot Service Hub, or Zoho Desk (if I'm reading this right, HubSpot seems to maybe allow for unlimited users sharing one inbox on their free plan, which seems ideal). Getting this setup would be more work to configure the software and forward email into it, but if the volume of messages warrants it or you have someone who's used to setting this kind of stuff up, it would get you on a platform intended to manage inbound communications, with features like assigning conversations to people and keeping track of what's resolved and what's still pending.
posted by zachlipton at 3:11 AM on January 24
We use the alias/group thing for this sort of situation. We have the paid version of G Suite and it took me for freaking ever to find a guide for it but it works by sending emails to a certain address to emails listed in group. So info@org goes to Anne, Ben, Chaz and Derrick. No need to login or share admin credentials.
posted by fiercekitten at 8:19 AM on January 24 [2 favorites]
posted by fiercekitten at 8:19 AM on January 24 [2 favorites]
We have already been burned by an older set up where we just had a Gmail account, and the creator set up 2FA with their Android phone, and then couldn't be easily found when another person wanted to log in.
... and then refused to shut off 2FA or add a 2FA backup number or different account recovery number?
Any scheme is going to be vulnerable to sabotage by whoever sets it up, so unless you can trust the person who holds the keys I don't think anything is going to work for you.
posted by Tell Me No Lies at 9:11 AM on January 24
... and then refused to shut off 2FA or add a 2FA backup number or different account recovery number?
Any scheme is going to be vulnerable to sabotage by whoever sets it up, so unless you can trust the person who holds the keys I don't think anything is going to work for you.
posted by Tell Me No Lies at 9:11 AM on January 24
Turning off 2FA and sharing a password is certainly the easiest solution
As a sysadmin, please do not do this. Dig into the mailbox settings to enable multiple personnel.
posted by Abehammerb Lincoln at 2:30 PM on January 24
As a sysadmin, please do not do this. Dig into the mailbox settings to enable multiple personnel.
posted by Abehammerb Lincoln at 2:30 PM on January 24
You are not logged in, either login or create an account to post comments
Another way, though you've got 'info' as a real account, is to make an alias/group in google workspace for the email 'info' at your domain, then the group repeats any mail to 'info at your domain' to all in the group. In Gmail, you can set up a 'reply as' account, so you can then 'reply' as info...I recall that being an pull down menu or something. In this case, there is no main live 'info' mailbox, any mail sent with the address 'info' gets rerouted to the group members' address, all of them. This saves $ since you can set up any number of aliases then assign group members with live mailboxes to receive messages whichever ones they want to get. 'info', 'sales' and so forth.
'
There may be more ways to do this, that's what comes to mind.
posted by diode at 9:02 PM on January 23