Feature name
Two-man rule in order to unlock specific passwords for short period of time
Feature function
- What will this feature do differently?
This will require at least 2 persons (configurable) to unlock access to password for certain time (set by organization policies) - What benefits will this feature bring?
Increased security in cases where there is requirement for at least 2 person verification on password usage.
Related topics + references
- Are there any related topics that may help explain the need and function of this feature?
Two-man rule - Wikipedia
Feature description and possible way to achieve
One possible solution for it would be to have specific passwords that belong to group or collection. Specific collection then having rules set, who can see and request password, who are the parties who need to agree and how many of the parties have to agree and does parties have to belong in same role or different roles, what is the time to expire requests.
I.e if you split the request into 3 person requirement, then it may require someone from group or role A, B or C to request the key, after that someone from other groups have to agree on revealing the password within the time limit making sure single person cannot access the more secured system alone. After access is granted only the user requesting it could access it for limited time. Approval could require 2FA if specified.
The request should show who in organization has requested to see the password and possibly description with it.
Possibly password change would have to be approved the same way.
I am aware the issue is still there when person would save the password for later usage once they have gotten access to, but it is for organization to arrange safety of password on it’s usage and ensure it has not been saved in process (possibly the password usage and request being done under some supervision). This feature would at least provide the means from BW side to achieve two-man rule.