Last year, a team of CyLab researchers explored the account-sharing behaviors of romantic couples and found that some of their practices could compromise security. Building off that study, the team wanted to explore the account-sharing behaviors of another subset of people: employees within a company or organization.
Facebook, Google, and company email accounts are just a few of the many different accounts people are sharing in the workplace for a variety of reasons, the researchers found in their new study. Social media accounts are shared to allow several people to manage their company’s online image, and company email accounts are commonly shared to maintain a unified identity when responding to people outside of their team.
“The notion of one account, one user doesn’t really make sense anymore,” says CyLab’s Jason Hong, a professor in the Human-Computer Interaction Institute (HCII) and corresponding author on the study. “We need to start re-thinking how to design these kinds of accounts.”
The notion of one account, one user doesn’t really make sense anymore.Jason Hong, Professor, Human-Computer Interaction Institute (HCII)
Such a re-thinking is necessary, Hong says, because how these accounts are currently shared can lead to mishaps.
Their study, “Normal and Easy: Account Sharing Practices in the Workplace,” was presented at last week’s ACM Conference on Computer-Supported Cooperative Work and Social Computing.
In the study, the researchers surveyed 98 participants from a diverse set of workplaces across the United States about their account-sharing practices. They found that respondents shared credentials for an average of 11 accounts with their co-workers.
“We actually just write them down and stick them on a board next to the computers that they are used on,” wrote one survey participant who worked in manufacturing.
The specific methods participants used to share passwords spanned a pretty wide range. Some shared them directly by telling others verbally or electronically (e.g. text or email), and some shared credentials in a common location, for example, by writing them on a board in a shared space. Some used a password manager that employees had access to.
In one case, employees used a physical barrier–a safe–to protect the digital account credentials.
“We actually have a book that has all of the shared log in/password information. We lock the book in a file and have to lock it up when it is done being used,” wrote one participant who worked in education.
In most cases, people shared accounts to centralize collaboration on a task or project, but this method of collaboration leads to some challenges in accountability and awareness.
“You can’t tell who’s done what if everyone’s using the same username and password,” Hong says. “Sometimes there might be an important message for that account, but only the person who happened to log in after the message was sent saw the message. No one else would see it.”
You can’t tell who’s done what if everyone’s using the same username and password.Jason Hong, Professor, Human-Computer Interaction Institute (HCII)
Why would people share a single Dropbox or Google Drive account, even though those platforms allow for multiple users to collaborate? Hong says that those people would rather not spend the time setting up and remembering credentials for a new account, given how many other account credentials they’re managing on a daily basis.
Other issues respondents shared were instances such as being forcibly kicked off an account when another person logged in, or having trouble with two-factor authentication, since the second factor–someone’s device–presumably belongs to a single person. Some respondents shared experiences of being locked out of an account after someone else typed in the wrong password too many times.
Hong believes that many, if not all, of these challenges can be addressed with some design modifications.
“Companies who offer these accounts should allow multiple emails on that account,” Hong says. “These accounts should also allow simultaneous access so that when one user logs into the account, another isn’t kicked off.”
The authors also suggest that accounts should allow multiple profiles inside of them, mimicking Netflix’s account model.
“You would still have the same username and password, but now you could say, ‘This is Jason doing the work,’ or someone else,” Hong says, “That would allow you to manage the accountability aspect and know who did what.”
Other authors on the study included CMU visiting researcher Yunpeng Song from Xi’an Jiaotong University, Xi’an Jiaotong professor Zhongmin Cai, HCII Ph.D. student Cori Faklaris, and HCII professor Laura Dabbish.