It is common to use a root or master account when setting up an online or cloud-based service. Then once setup other admin user accounts are created for day-to-day management. The master account is left for specific high privilege use or for emergencies only, like resetting admin’s passwords, or changing billing details etc.
This master account is highly vulnerable as it is often shared between several people and has the highest levels of access. If it was compromised by a hacker, they could cause untold havoc in the system.
Best practice is to secure it with MFA like any admin accounts. But this comes with its own challenge as the account is shared. Who looks after the MFA device? What happens if the MFA device is not accessible when it’s needed in an emergency?
The answer will vary depending on what MFA solutions your cloud service uses. We have seen several different solutions from online MFA device simulators (really not secure!) to smartphones with an MFA App held in a fire safe.
Our recommended solutions are as follows:-
1, Multiple MFA devices. Some online accounts such as LastPass provide the ability to have multiple MFA devices associated with a single master account allowing several admins to easily gain secure master account access.
2, A hardware MFA key, such as the Security Key by Yubico. This can be secured in a safe and is better than a mobile phone MFA app as there is no handset to maintain or phone number to pay for.
3, A dedicated phone line for incoming MFA calls or SMS messages. This needs to be accessible by multiple admin staff or even divertible to different admin staff’s phones as required.
It is also very important to fully document these master accounts and how their MFA is configured as well as the recovery processes in case everyone gets locked out or you lose the master MFA device.
If you have any queries about IT Security or MFA please get in touch. We will be happy to advise.