2FA best practice for shared gmail account
February 28, 2024 12:45 PM
A group I'm in has an infrequently-used shared Gmail account. Currently 2FA is turned on and tied to a single person's phone number, but we need more than 1 person to be able to log in from time to time. What's the best way to handle this? Turn off 2FA and choose a super-long password? Share a TOTP seed so everyone gets the same code? We aren't going to pay for any solutions that cost money.
Share the TOTP seed may be your best bet.
If you're willing to pay a little ($10 USD per year for a personal account, $40 for a family account), BitWarden can do this.
posted by Meldanthral at 12:55 PM on February 28
If you're willing to pay a little ($10 USD per year for a personal account, $40 for a family account), BitWarden can do this.
posted by Meldanthral at 12:55 PM on February 28
You can set up delegate account access. I have this set up on a couple of shared accounts and it works well.
posted by merriment at 1:06 PM on February 28
posted by merriment at 1:06 PM on February 28
The correct answer to set up delegate account access as above; that'll let people log in and authenticate with their personal google accounts.
posted by sagc at 1:07 PM on February 28
posted by sagc at 1:07 PM on February 28
As other people have noted, set up the delegate access. In my experience, Google tends to interpret the sort of activity that inevitably results from sharing access to a single Google account between multiple users as suspicious and may start pestering for verification, impose security features, or lock the account.
posted by pullayup at 1:26 PM on February 28
posted by pullayup at 1:26 PM on February 28
Since you've already got this address, it may be too late, but I'd solve this by creating a Google Group and use its address. You can set them up so that people with the right privileges can send e-mail from the group address, and so that you can receive unmoderated e-mail from outside the group.
posted by adamrice at 1:40 PM on February 28
posted by adamrice at 1:40 PM on February 28
Thanks. I'm not sure Gmail delegates will work, one scenario we need to be prepared for is if someone retires from the group other people need to be able to log into the Google account to manage everything - for instance, managing the documents in Google Drive that belong not to an individual but to the group. So unless delegates give you control over things like that I think we will have to share the TOTP.
posted by Tehhund at 1:55 PM on February 28
posted by Tehhund at 1:55 PM on February 28
You can also set up passkeys, and just have each person create their own. You can name said passkeys, so if someone leaves the group you can revoke that one individually without having to change anything for everyone else.
See also https://passkeys.dev/device-support/
posted by tiamat at 1:56 PM on February 28
See also https://passkeys.dev/device-support/
posted by tiamat at 1:56 PM on February 28
You are not logged in, either login or create an account to post comments
posted by peanut_mcgillicuty at 12:54 PM on February 28