Using Multi-Factor Authentication (MFA) with Shared Google Accounts and Collaborative Inboxes

Summary

How to setup MFA for a shared account

Body

Managing Multi-Factor Authentication (MFA) with Shared Google Accounts

Multi-Factor Authentication (MFA) is critical for account security. However, implementing MFA on traditional "shared" Google accounts (where multiple individuals use the same login credentials) presents significant challenges. This article outlines different approaches for shared email access, detailing their functionality, advantages, and critical security considerations.

1. Option 1: Main Account Owner with Delegates

This approach involves a single Google account with MFA enabled by its primary owner, and other users accessing it through Gmail delegation.

How it Works:

  1. A designated "main owner" of the shared Google account (e.g., department@lanecc.edu) configures 2-Step Verification (MFA) using their preferred method (e.g., Google Authenticator, security key, prompt).
  2. The main owner then grants delegates access to this account's Gmail inbox via Gmail settings.

Functionality & Access:

  • MFA: Only the main account owner directly interacts with the MFA prompt.
  • Delegate Access: Delegates log in to their personal Google Workspace accounts (yourusername@lanecc.edu) and access the shared inbox from their own Gmail interface. They will see the delegated inbox listed under their account.

Advantages:

  • Relatively simple to set up initially for basic email viewing.
  • No sharing of the primary account's password with delegates.

Disadvantages for "Shared" Inboxes):

  • MFA Tied to One User: While the password isn't shared, the MFA recovery and management are tied to the main owner, creating a single point of failure and potential security risks if that owner leaves or loses their MFA device.
  • Poor Audit Trail: It's difficult to track which delegate performed specific actions (e.g., deleted an email, sent a reply).
  • Google Application Access: Delegated users don't have access to the delegated accounts applications like Drive, Docs, etc.. Data and documents on the shared account will need to be placed on a shared drive which all delegates have permissions to access. 

More information on Delegate access and how to add Delegates

2. Option 2: Convert to a Google Group with Collaborative Inbox

This is Googles recommended solution for a shared inbox.

How it Works:

  1. The existing "shared" user account's email address is freed up by renaming or suspending the original account (this must be done by IT).
  2. A new Google Group is created with the desired shared email address (e.g., department@lanecc.edu), and configured as a "Collaborative Inbox."
  3. All users who need access to the shared email are added as members to this Google Group.

Functionality & Access:

  • Individual User MFA: Each member accesses the Collaborative Inbox using their own Lane Community College Google Workspace account. Their individual MFA (tied to their personal account) secures their access to the Google Group. No shared passwords or MFA devices are needed for the inbox itself.
  • True Shared Inbox: All members see the same view of the inbox, including conversations, assigned tasks, and status updates.
  • Enhanced Collaboration: Collaborative Inboxes offer features like assigning conversations, marking them as complete, and tracking who has replied, significantly improving team workflow.
  • Clear Audit Trail: Actions within the inbox are attributed to the individual user who performed them.

Advantages:

  • Superior Security: Each user's access is individually secured with MFA, eliminating shared credentials.
  • Robust Collaboration: Designed for team-based email management.
  • Full Auditability: Clear accountability for all actions.
  • Scalable and easily managed by IT.

Considerations for Conversion:

  • Email Address Renaming: The existing shared account will likely need to be renamed or its primary email address changed to allow the Google Group to use that address. This requires administrative action by IT.
  • Data Migration: Old email data from the original shared user account can be migrated into the new Collaborative Inbox. This process can be time-consuming, depending on the volume of emails, and will require coordination with IT.

More information on Collaborative Inbox.

Recommendation

Lane Community College recommends using Option 1: Main Account Owner with Delegates as it requires minimal changes . Then Option 2: Converting to a Google Group with Collaborative Inbox for any shared email functionality. 

 

Details

Details

Article ID: 25667
Created
Tue 6/24/25 1:34 PM
Modified
Thu 6/26/25 1:59 PM

Related Articles

Related Articles (1)

How to Set Up Multi-Factor Authentication (MFA) in your Google Account
The provided text offers a comprehensive guide on enabling Multi-Factor Authentication (MFA) for Google accounts, emphasizing enhanced security. It details the necessary items for setup, such as a computer and phone, before outlining step-by-step instructions for accessing security settings and turning on 2-Step Verification. The source explains various verification methods, including text messages, the Google Authenticator app, and physical security keys like YubiKey, providing specific instruc