How does your team handle shared vendor accounts and verification codes?
Posted by Wonderful-Dare1730@reddit | sysadmin | View on Reddit | 20 comments
Curious how other teams deal with this. Every place I’ve worked eventually has the same problem: one person signs up for a vendor tool, the account/2FA/verification codes go to their personal work email, then they go on vacation or leave and nobody can get in.
Workarounds I’ve seen: shared Google account nobody wants to own, password manager with email forwarding rules, a distribution list that half the team ignores, or just “ask Steve, he set it up.”
What actually works for you? Is this a solved problem I’m missing, or does everyone just live with it?
Altusbc@reddit
OP has spammed other subs with similar questions in an attempt to do market research for a probable vibe coded slop app.
last10seconds00@reddit
I really need to start reading profiles prior to adding my two cents.
OneSeaworthiness7768@reddit
Honestly, it doesn’t even require reading the profile. These posts are almost always worded the same way. They’re all likely written with AI (even when they try to make it less obvious) and use similar phrases like “what actually works for you”, “trying to see if this is a solved problem”, “wondering how teams are actually handling this.” Once you start noticing these every day, their phrasing is very easy to pick up on.
simonjakeevan@reddit
Everytime I hear vibe coded it makes me feel like an old grouchy man yelling at kids to get off his lawn. Like GTFO with this vibe coded bs.
BloodFeastMan@reddit
I'm not a "developer" per se, but have been writing small utils since the late 80's, and I have to say, I just wouldn't trust anything that I can't audit. These "vibe" coders, most of them have no idea what they're looking at, or what to fix when it pukes on the first device other than their own that it runs on.
BloodFeastMan@reddit
Good catch, notice they're also active on r/vibecodedevs
OneSeaworthiness7768@reddit
OP is developing a SaaS product. No surprise.
KandevDev@reddit
1password (or bitwarden) shared vault tied to a generic distribution group email like "vendor-accounts@company". the email is monitored by a small team alias, the 2fa lives in the shared vault using 1password TOTP. nobody personal email or device is the single point of failure. cost is one extra seat for the shared vault.
the secondary discipline: when an employee sets up a new vendor account they MUST use the shared email, not their personal one. this only enforces if you make it a policy with an explicit consequence (deactivating accounts owned by the person leaves you locked out, which is on them). people resist until they have been bitten once by an old coworker locked account.
Demented_CEO@reddit
1Password with shared vaults...
DisplayAlternative36@reddit
This is the right way, shared mailbox makes it so you always have the historical emails and access to do password resets without having to do anything annoying like giving acess to a departed user's email. And a password vault makes sure it's easy for day to day activities to let shared administrators get in and do what needs done.
If you don't have that, eventually you're going to get locked out of something. Oh and don't forget to include MFA recovery codes in the secrets along with other account information that may be required for resets.
Also making sure company wide there is a password management tool that departments can access and educating them on good practices saves a lot of headaches.
last10seconds00@reddit
We do this plus use yubikeys for easy handoffs
shiranugahotoke@reddit
It supports SSO and it gets set up, or it goes in the fuckin trash
QuietBookkeeper4712@reddit
Bitwarden collections
anmghstnet@reddit
This is what I use, it's great!
GallowWho@reddit
Everyone should have their own vendor account.
FinsToTheLeftTO@reddit
I’ve got vendors where they don’t even allow the admin to be an unlicensed user (looking at you ClickUp!)
bitslammer@reddit
True, but not all vendors provide that.
PsychologicalAioli45@reddit
We use a simple shared mailbox vendor@mycompany.com for all of those accounts. All IT has access. There are obviously better methods but this works decently for a small company.
sryan2k1@reddit
Obviously everyone should have their own account but I understand that not all vendors/situations allow that.
Our password manager supports TOTP, so the secrets are loaded into that and available/logged like any other secret.
We also have a shared SMS enabled number our team uses in Teams to get stuff that can only be done via SMS.
MisterIT@reddit
I’ve seen some of our more put together vendors with a virtual android OS they can all access from a VM environment for customer “generic account MFA”. Some even have treated it as a selling point for their services.