Using Duo Two-Factor Authentication with Shared Accounts

Who is Eligible

Active Faculty, Staff or Students with Shared Account access.

The Problem

When multiple people use a shared email account protected by Duo MFA, there’s a real security risk: if users approve every Duo authentication prompt (push, call, or text)—especially those they did not personally initiate—hackers can gain unauthorized access. This has happened when users, aiming for convenience, approve all prompts without verifying their legitimacy.

Secure Workflow for Shared Duo Accounts

  1. Each User Must Register Their Own Device:
    • Every person who needs access to the shared account should associate their individual device (smartphone, phone number, etc.) with the shared account in Duo.
  2. Self-Enroll Process:
    • Coordinate a time with the account owner to enroll your device.
    • Log in to the shared account at a Duo-protected application (like webmail.oakland.edu).
    • After entering the shared NetID and password, select your preferred authentication method (Duo mobile app, call, or text).
    • Complete the device enrollment as prompted.
  3. Verify All Authentication Requests:
    • Only approve Duo prompts that you personally initiate when logging in.
      • Never respond to a Duo authentication (push, call, or text) if you are not actively logging in.
      • If you receive a Duo phone call that you did not start, press 9 immediately to report possible fraud.
  4. "Other Options":
    • Do not simply approve the initial push that may appear when logging in with shared credentials.
    • Select “Other options” in the Duo prompt if given, and choose the correct authentication method for your device.
  5. Why This Matters:
    • Attackers sometimes try to log in and trigger Duo prompts, hoping someone will approve them out of habit or confusion. By strictly following these steps, you prevent accidental approval of fraudulent access attempts.

Alternative to Shared Credentials: Google Delegation

Consider setting up Google Delegation instead of sharing account credentials. Delegation allows multiple users to manage email, calendar, and drives without sharing the same login. This can be done in the Google Settings of the shared account. This method is more secure and provides individual accountability.

Key Takeaway

Never approve a Duo prompt you didn't initiate yourself. Always verify that you are the person trying to log in, and educate all users of a shared account about this critical security step. This habit protects you, your data, and your institution from unauthorized access.

Print Article