With the flu bug sweeping through the office this week, staff are a bit thin on the ground. This is not ideal especially at this time of year, with loads of tax returns still to complete. It has meant staff having to dive in and deal with tasks they would not otherwise touch.
This has led to some issues -in a way surprising some of them have not come to light before during holidays etc. Most of the software products have multiple users able to access the system, although the admin is probably restricted to one or two users.
A big issue was having to access a payroll integrated with accounts software to sort a query with HMRC. The client had given access to one staff member only, and that staff member was one of those off ill. Her login details to the software were her generic logins to other accounting clients using the same software and she had not therefore recorded these details in the “white space” in our systems generally used to record such information . There was a further security aspect in that two-factor authentication was enabled and two out of three security answers had also to be supplied.
There was no alternative other than to phone her and get her off her sick bed to obtain the login details to be able to access this area. We could have gone back to the client and asked for someone else to be given access to that area of the product, but it can get embarrassing to keep asking to allow different staff members into the software. It may not always be convenient either.
I think there are probably other clients into which individuals in the firm have been invited in by the client. So, the end-result appears to be that we need to ensure that we have a note of staff logins to any software in such circumstances, plus their other authentications! Or we need to ensure that not just one staff member has access.
Staff may not be too happy in providing security information; whilst there is nothing confidential in the systems in question here – online accounts software – the two – factor authentication questions may well be used in other software products too – name of first pet for example.
The use of password managers such as LastPass are enormously useful, and passwords and login details can be automatically filled in on accessing web pages etc. They can also generate very random passwords every time a new site is visited and registration set up. All very commendable, as we all know that it is recommended the same password not be used for every site.
Access to the LastPass vault is controlled by one master password. My vault contains all my bank, credit card and other personal logins so there is no way I am going to give anyone else my master password to be able to login in to various web pages in my absence. All security goes out of the window then.
How do you deal with such circumstances?
Where do you store master passwords and who has access?