Shared Accounts is a method of using corporate resources and services for multiple users by having each of them authenticate with a single set of credentials. Shared accounts can be linked to role-based emails, servers, cloud platforms, services or databases.

A security downside to using shared accounts across multiple users is that they lack the visibility, certainty, and accuracy about a particular session that singularly-owned accounts do. This contradicts the main reason for authentication, which is the answer to the question, Am I Who I Say I Am? when access is requested. Shared accounts also use Single Factor Authentication (SFA) since hard and soft tokens cannot be managed among groups of user.

Going further, if in a shared account the credentials are deliberately or inadvertently shared with users outside of the known circle, the problem is amplified. The account log provides no visibility into this more serious failure to properly attribute a session.

Some services like email, for example, provide no alternative than to rely on the use of just one pair of credentials. They are designed to be tied to just one person so there is no other option than to use a shared account practice.


“Shared accounts such as role-based emails, for example ‘hello at x dot com’, are notorious for SFA-associated security risks. Not only do many other unauthorized users hold these credentials, but without these credentials more tightly tied to a user through hard or soft token MFA, it’s just a wild west of risk and opacity for the enterprise that owns the underlying service .”