How does your team share OTPs?

Question

Previously I assumed that for most platforms sharing accounts (and OTPs) was some sort of TOS violation and wouldn't take place in a corporate setting. I have since become aware that sharing OTPs within a company or team is fairly commonplace, and sometimes involves very creative solutions. Does this happen at your company/team, and what solutions do you use?

emteycz · Accepted Answer

I assumed this is implemented by people that don't know better. Why would you want to promote this instead of normal multi-user solution?

obventio56 · Answer

To kickoff my own post, solutions I've seen include:
- Using a Google Voice phone number to receive codes and forward them to an email list.
- Using a texting SasS to receive codes (the SaaS, of course, can't require 2FA itself otherwise you're in a pickle)
- DMing the account owner on Slack
- Saving the TOTP key in a password manager
Most of these solutions seem to defeat the purpose of 2FA in the first place.

bradknowles · Answer

We don&rsquo;t. We do use secure password vault solutions for passwords themselves, which includes auto-rotation after a short period of time that you check the password out, as well as normal auto-rotation on a regular schedule.But we don&rsquo;t share any OTPs.