How many services does your business use? Marketing is using MailChimp and Hubspot, your devs are accessing paid APIs for AWS, search, AI, etc. HR is paying for job boards.
It’s a lot to keep track of and it is a pain when people leave or switch roles. So in this article we are going to give you the simplest process with the best ease-of-use and gives the quickest handovers of accounts.
It’s built on a central email address with per-service forwarding and a 2FA-for-teams product.
Let’s get into it.
1. Account Identity & Ownership
Business account ownership needs to remain with the company, not individuals. This starts with using company-controlled email addresses for all third party service accounts.
This means you need to appoint someone to handle these addresses. They’ll mainly be setting up email forwarding rules, but will need to be involved when a new service is onboarded or when employees managing the service leave or change roles.
A centralised email account
This process is based around a central email account. Call it something like [email protected]. This will be the primary contact for third party services (e.g., AWS, Google Workspace, etc.).
You may or may not want to use what is known as email sub-addressing or plus addressing when registering for new services. This is when you extend the name in your email address (services) with a ‘+’ and word, for example – [email protected].
Mail services recognise that the actual address is [email protected], but you get that little extra bit of information, +aws, to use in filtering and forwarding rules. Also, some services treat the entire name+thing as the entire email address, so you can often sign up for multiple accounts on the same service and just change what comes after the “+”. However some services ignore the “+…” to stop people from doing this.
Register for every 3rd party service with the central account
When it’s decided your business needs to use yet another service, perform the sign-up and registration using your [email protected] account, or with a [email protected] style email address.
Then use email forwarding from the centralised account
Once the new service is registered for using your centralised account, set up email forwarding rules to direct account notifications (like verification codes or security alerts) to the person who will be responsible for that service. For example, if Sarah manages AWS, forward [email protected] emails to her work email address – [email protected].
Here are instructions for forwarding emails using Microsoft Teams, and instructions for forwarding emails using Gmail in Google Workspace. If you haven’t used the [email protected] style email address you may need to inspect a few emails from the service to discover which source email addresses you need to match against and forward to the appropriate person.
Handover is easy
When Sarah leaves or changes roles, simply update the forwarding rule to send notifications to her replacement—no need to change the service account email itself.
Role-Based Emails
You can take this a step further and forward service messages to role-based email addresses such as [email protected] or [email protected]. This ensures that control resides with the department rather than an individual employee.
What about Single Sign On (SSO)?
While Single Sign-On (SSO) solutions like “Sign in with Google” make registering for new services quick and easy and secure, they also tie accounts to individual credentials, which creates all the complications around continuity we’re setting up this process to avoid.
2. Authentication Management: Handling 2FA
Two-factor authentication (2FA) – where a website might ask you to enter a special code from an authenticator app – adds an important layer of security. But 2FA can make using secure sites a frustrating exercise in co-ordination if you haven’t got everything set up properly.
However, as far as we can tell there is only one simple way to handle 2FA when there is more than one person involved – Daito.io. It’s a tool for managing 2FA for teams.
Daito.io allows you to link 2FA tokens to service accounts rather than individual employees’ personal devices.
It also lets you set up permission levels so only authorised users can access specific tokens, and enables you to back-up the “seeds” (the random secret key that 2FA authentication apps like Google Authenticator use to generate the time-limited codes used in 2FA) securely.
This means you can avoid reliance on phone based apps and the issues that arise when phones are lost or employees who own the phones leave suddenly.
A browser based tool does mean your password game needs to be on point if you’re going to keep it secure. Which brings us to the final step in the process.
3. Password Management
Your third party services have all been centralised under a single email address and a 2FA management tool. Now do the same for the passwords used with those third party services.
There are multiple business password managers out there for you if you’re not a giant enterprise – Bitwarden, 1Password Business, and Dashlane for Teams, for example. Choose one, use it. It’s that simple.
Putting it to work – performing a handover
The goal of this setup is to make handovers as painless as possible when employees leave or change roles.
Here are the handover steps:
- Update Email Forwards: For non-2FA accounts, simply update the forwarding rules on the central service email ([email protected]) so notifications go to the new owner.
- Adjust 2FA Access: For 2FA-protected accounts, update the access groups in your 2FA management tool. No need to manually transfer authenticator apps between devices.
- Revoke Password Access: Remove departing team members from your password manager while ensuring their replacement has access.
That’s nice and straightforward. Chances are the same person will be performing all those steps and they can probably perform them in under 10 minutes.
That’s all there is. Why not go do it?
By structuring your accounts with third party services around a single email address using a centralised 2FA solution, and employing a business-wide password manager for shared credentials, you make accessing, managing and transferring third party services quick and easy.
The setup requires a little upfront effort, and someone needs to be on point setting up forwards and managing passwords and roles, it simplifies handovers, it simplifies accessing third party services, and ensures you retain control over all the services your business relies on as your team inevitably grows and changes.
