Shared user accounts are often adopted in situations where a business may have multiple people who need access to the same resources on their network. This happens in situations for example, with roles like reception or with maintenance personnel. All these employees share the same email address, and they access shared files and applications. While this may seem practical, here are three reasons why businesses should avoid shared user accounts in a Microsoft 365 or an Active Directory environment.
So why should this common practice be avoided?
Password sharing is risky. If the shared password is not written on a sticky note already, it is only a matter of time before that happens. Often, the password is shared via email in a situation where it is changed because an employee that has access leaves the company. Another risk is the reality that that password never changes. If an employee that knows it leaves, they will still have access to the password.
Shared user accounts blur accountability. As an employer or an IT administrator you may have an unsavory email sent out from that account. Or perhaps files may have been deleted, or some other action is taken by that account that is brought into question. With shared user accounts, you have no idea who is amenable. Anyone who has that password might have taken that action or has been the source of a security breach. This goes the other way as well. As the user of a shared account, you might be held responsible for the actions of someone else who has that password. This may not be limited to just the people who are meant to have it.
Multi-factor authentication (MFA) is difficult with shared accounts. MFA is now considered a baseline best practice of modern IT security. And when an account is not tied to an individual, it is very difficult or even impossible to setup a second factor that both employees can use reliably.
So, what do you do instead?
Start with a principle of identity security; every individual user account should be tied to an individual person and only that person should ever log into that account and know the password.
For shared resources, such as calendars and files, use tools that allow you to delegate those things through permissions. Traditionally, that is a shared resource calendar or shared files on your file server or most commonly today, Microsoft SharePoint.
Avoiding shared user accounts is a foundational IT security best practice. Avoiding this common mistake will enable your organization to build upon the principle of identity security and add even greater security features.