I'm looking for team password managers that can handle multi-factor authentication (MFA) credentials in a secure way, where users can't access the actual MFA secrets. My concern is that traditional password managers give users full access to passwords, which can lead to issues if people save them elsewhere. Having a shared MFA mechanism implemented via an online API would be ideal because it would eliminate the need to reset access when team members change or leave. I'm leaning towards a local password manager like Bitwarden instead of cloud options like Zoho, but still want the MFA feature to behave similarly to a cloud service. As a backup plan, I've considered using a shared mailbox that forwards SMS codes via a VOIP number instead.
4 Answers
Yes, you’re spot on. Most password managers give unnecessary access to users, making it tough to maintain security when team dynamics shift. I work with Securden, where we’ve implemented a system that keeps MFA credentials stored securely, allowing access without exposing secrets to everyone. Our on-prem solution avoids cloud issues and helps maintain tight access control, making it easier to manage changes without resets. Happy to dive deeper if you’re interested in that! You can check our Password Vault out here: [Securden Password Manager](https://www.securden.com/password-manager/index.html)
Bitwarden totally fits your needs! It’s a great option for local password management, and you can manage MFA credentials in a way that users can access them securely without exposing sensitive information.
1Password is another solid choice for what you need, especially if security is your top priority!
If you're looking to share 2FA access without exposing secrets, you might want to check out Daito. They specialize in sharing 2FA access with individuals or teams and also allow you to set up shared SMS inboxes and forward codes to other apps. Just a heads-up, it might be a bit pricey, but it might be worth it for your use case.
Daito looks impressive, but the cost is surprisingly high! If you can limit usage to a small admin team instead of every user, that might keep costs manageable. It's a smart way to tackle the 2FA issue separately from your password management tool.
That’s interesting! I can see how this would be beneficial for larger companies, but it seems like the Windows Server deployment might limit its appeal to smaller teams.