2-Factor Authentication on a Shared Login (How To)

I have been, or can be if you click on a link and make a purchase, compensated via a cash payment, gift, or something else of value for writing this post. Regardless, I only recommend products or services I use personally and believe will be good for my readers.

2-Factor (or Multi-Factor) Authentication (MFA) is a must for many applications. But if you’re sharing a login with someone, there isn’t an easy way to properly secure your account. We have had this problem at FMTC, but I recently installed this solution:

Let’s say we have programmers@techcompany.com set up as a email group / mailing list for all of your programmers. And you have an account somewhere where programmers@techcompany.com is the email address on file.

What You’ll Need

  1. A tool / service to securely share the password. We use LastPass.
  2. Somewhere where all of your programmers (or individuals on this list) can access. In this example, it’s a Slack channel. As long as there’s a Zapier Action for this service, you’ll be OK.
  3. Twilio, to catch the text message and do something with it.
  4. Zapier, to glue it all together.

Step-by-Step Instructions

First, create a new Zap in Zapier. The Trigger is Catching a Webhook and the Action is going to be sending a Channel Message on Slack. When you create your Webhook Trigger, copy the URL of your hook (https://hooks.zapier.com/hooks/catch/#######/xxxxxx/).

Now head over to Twilio and buy a phone number. It’s $1 / month. Configure the number so that when a message comes in, it posts to the webhook given by Zapier.

Go back to Zapier and continue. The next screen asks “Pick off a Child Key” – leave this blank and continue again. Now, Zapier is waiting for the hook to be triggered so send a text message to your Twilio number (just use your phone – send a “test” message). Zapier will see the message and you can continue.

Your action is up to you, but I’m sending the code to a Slack channel. Once you connect your Slack account, choose the channel and fill in the form.

To visualize the final flow of this process:

Security Notes

While this set-up is not as secure as the SMS message going to a phone, if you’re sharing logins then sending the 2-factor code to a Twitter channel is better than not having the second authentication measure at all.

Make sure your Slack team is secured before implementing this method. FMTC also has our Slack team locked such that only someone with an FMTC email can join.

If possible, instead of sharing logins, set up sub accounts. And whatever you do, don’t share passwords by sending the actual password to someone else. Invest in LastPass.

Why Didn’t I Use The Twilio Zapier Trigger?

Simple: it didn’t work for me. I’d only receive my message after the next message came in. Webhooks worked, so that’s what I went with.

  • Chris
    Posted May 28, 2019 3:39 am 0Likes

    Hi Eric,

    Does this method still work for you? I have set it up, and it works when I send the test message to myself.

    But when I try to use the number on a service I am enabling 2FA for, the message never arrives.

    Any idea why?

    • Eric Nagel
      Posted May 28, 2019 7:04 am 0Likes

      Hi Chris,

      We were experiencing this same problem with some services but couldn’t pinpoint why. It wasn’t a big enough problem to troubleshoot but I’d look at Twilio and see if the message even arrives there. I’m guessing something is stopping the message from even reaching Twilio, but that’s just a guess.

  • Huy Pham
    Posted September 4, 2019 2:38 pm 0Likes

    The problem with this solution is that Microsoft and other enterprise MFA providers only sends SMS messages to mobile carrier numbers as a security measure. Twilio and similar services won’t work because it’s a land line number (we assume). We’ve been trying to work out a solution for shared accounts with MFA but have not been successful.

    • Eric Nagel
      Posted September 4, 2019 2:45 pm 0Likes

      Yeah, I’ve noticed more and more providers are somehow getting around this. Some still work, but not all of them. I didn’t know why, but I like your reasoning – that could be it! Thanks for the comment 🙂

Leave A Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.