2-Factor Authentication on a Shared Login (How To)
2-Factor (or Multi-Factor) Authentication (MFA) is a must for many applications. But if you’re sharing a login with someone, there isn’t an easy way to properly secure your account. We
have had this problem at FMTC, but I recently installed this solution:
Let’s say we have firstname.lastname@example.org set up as a email group / mailing list for all of your programmers. And you have an account somewhere where email@example.com is the email address on file.
What You’ll Need
- A tool / service to securely share the password. We use LastPass.
- Somewhere where all of your programmers (or individuals on this list) can access. In this example, it’s a Slack channel. As long as there’s a Zapier Action for this service, you’ll be OK.
- Twilio, to catch the text message and do something with it.
- Zapier, to glue it all together.
First, create a new Zap in Zapier. The Trigger is Catching a Webhook and the Action is going to be sending a Channel Message on Slack. When you create your Webhook Trigger, copy the URL of your hook (https://hooks.zapier.com/hooks/catch/#######/xxxxxx/).
Now head over to Twilio and buy a phone number. It’s $1 / month. Configure the number so that when a message comes in, it posts to the webhook given by Zapier.
Go back to Zapier and continue. The next screen asks “Pick off a Child Key” – leave this blank and continue again. Now, Zapier is waiting for the hook to be triggered so send a text message to your Twilio number (just use your phone – send a “test” message). Zapier will see the message and you can continue.
Your action is up to you, but I’m sending the code to a Slack channel. Once you connect your Slack account, choose the channel and fill in the form.
- Send as bot: yes
- Bot Name: Twilio
- Bot Icon URL: I used this one
To visualize the final flow of this process:
While this set-up is not as secure as the SMS message going to a phone, if you’re sharing logins then sending the 2-factor code to a Twitter channel is better than not having the second authentication measure at all.
Make sure your Slack team is secured before implementing this method. FMTC also has our Slack team locked such that only someone with an FMTC email can join.
If possible, instead of sharing logins, set up sub accounts. And whatever you do, don’t share passwords by sending the actual password to someone else. Invest in LastPass.
Why Didn’t I Use The Twilio Zapier Trigger?
Simple: it didn’t work for me. I’d only receive my message after the next message came in. Webhooks worked, so that’s what I went with.