The UK’s National Cyber Security Centre recently published cybersecurity guidance for high-risk individuals. I looked at the guidance last week and shared my thoughts here, but I wanted to say a bit more about NCSC’s suggestion for managing access to shared accounts.
According to the guidance, you should “consider using a social media management service” for “any public social media accounts that you use in a professional context.” The idea here is that the service allows your team members to create posts for you, without you having to share the password. But in reality, the service may leave your account less secure than before because it changes how your team members log in.
Let’s say that you want to give Alice and Bob access to manage your account on X. You have secured the account with a good password and two-factor authentication. Maybe you’ve even set up a security key. You can then share your password and two-factor authentication; use a social media management service; or try out X’s new Delegate feature.
If you share your password and two-factor authentication, you give Alice and Bob full control over your account. Not only can they create posts for you, they can also hijack your account. Not ideal.
If you use a social media management service, you first create an account with the service and secure it with a good password and two-factor authentication. You then link the service to your account on X. Alice and Bob create accounts with the service too. From there, you give Alice and Bob permission to create posts for you through the service. Rather than log in on x.com, they log in to the service and access your account there. And because their access is limited, they will not be able to hijack your account.
Sounds great, right? Well, here’s the catch.
Your account on X still has a good password and two-factor authentication. But it’s now possible to log in another way—using the social media management service—and that is protected by your account, Alice’s account, and Bob’s account. If Bob has the password “password” and no two-factor authentication, that weakens the security of your account. While Bob can’t hijack your account, he—or someone using his account with the service—can create all sorts of embarrassing posts for you.
X launched the Delegate feature last year to make it easier for teams to collaborate on a single account. The concept is similar to using a social media management service, but without using a third-party platform. If you use this feature, you give Alice and Bob permission to create posts for you through their own X accounts. Your account still has a good password and two-factor authentication. But, as with the service, your account is now protected by your account, Alice’s account, and Bob’s account. If Bob does not secure his own account, then he also leaves your account less secure than it was before you gave him access.
In an ideal world, X should allow you to require that delegates match the security that you have on your account. If you have two-factor authentication, they should have that too. This challenge is not unique to X, however, or to social media. Earlier this week, I discovered that you can delegate access to a Google account enrolled in the Advanced Protection Program to a Google account with no two-factor at all. Turns out securing shared access is hard, no matter the platform.
Last week, I wrote that “[w]hen considering a social media management service, I recommend that you look for one which–at the very least–supports two-factor authentication.” You want to make sure that your account remains secure, regardless of how you share access. That may mean sharing your password and two-factor authentication; using a service which allows you to require two-factor authentication; or using X’s new Delegate feature and trusting your team members to keep their own accounts secure—just like you do.
Yes, careful to whom you delegate and the scope of what you delegate. Does social media edit permission also grant access to your forgotten Keybase.io encrypted data?
But on balance, delegation is a worthwhile security feature to add to a system. See section 3 of n2vi.com/Auth.pdf for a real-life story.