Two-man rule (TPI - Two-person integrity)

Feature name

Two-man rule in order to unlock specific passwords for short period of time

Feature function

  • What will this feature do differently?
    This will require at least 2 persons (configurable) to unlock access to password for certain time (set by organization policies)
  • What benefits will this feature bring?
    Increased security in cases where there is requirement for at least 2 person verification on password usage.

Related topics + references

Feature description and possible way to achieve

One possible solution for it would be to have specific passwords that belong to group or collection. Specific collection then having rules set, who can see and request password, who are the parties who need to agree and how many of the parties have to agree and does parties have to belong in same role or different roles, what is the time to expire requests.

I.e if you split the request into 3 person requirement, then it may require someone from group or role A, B or C to request the key, after that someone from other groups have to agree on revealing the password within the time limit making sure single person cannot access the more secured system alone. After access is granted only the user requesting it could access it for limited time. Approval could require 2FA if specified.

The request should show who in organization has requested to see the password and possibly description with it.

Possibly password change would have to be approved the same way.

I am aware the issue is still there when person would save the password for later usage once they have gotten access to, but it is for organization to arrange safety of password on it’s usage and ensure it has not been saved in process (possibly the password usage and request being done under some supervision). This feature would at least provide the means from BW side to achieve two-man rule.

I would like to see this feature too, although for me a simpler solution would suffice:

Similar to the “read” and “write” permissions, there could be a new permission “request access”. I.e. users see the entry, but they can only request the credentials, not access them. A manager (could be anyone with “write” permissions) receives a notification and needs to approve in order for the person to access the credentials.

The credentials should stay unlocked for a short period of time.

This way sensitive credentials could be protected. The most important aspect here is that users without write access should never have access to the TOTP token, otherwise they could simply copy the credentials.