The organization has predefined authentication methods that employees should prefer when using data systems.
When using cloud services, the user can often freely decide how he or she authenticates with the service. A single centralized authentication account (such as a Google or Microsoft 365 account) can help close a large number of access rights at once when the main user account that acts as the authentication method is closed.
Shared accounts should only be allowed if they are necessary for business or operational reasons and should be separately approved and documented.
If shared accounts are used for admin purposes, passwords must be changed as soon as possible after any user with admin rights leaves their job.
One way to manage the risks associated with shared usernames is to manage the shared password and its users directly through a password management system.
In this case, it is possible to act in such a way that, for example, only an individual person actually knows the password and the persons who use it.
Credentials should be securely transmitted to users. delivery of a password or through unprotected external party (plaintext) e-mail message should be avoided.
Temporary credentials should be unique and should not be quessable, for example, by inferring from user data.