Stop Sharing Accounts: Unlock Security and Efficiency on Your Feature Flag Platform

Imagine discovering a critical feature flag change in production, but you have no idea who made it. This can happen when teams share accounts on their feature flag platform.

While most teams use individual accounts, we’ve observed that some still rely on shared accounts. Even in limited cases, this practice introduces unnecessary risks to both security and usability.

In some cases, teams share email and password credentials. Others use SSO (Single Sign-On) alongside shared password logins as a fallback, leaving potential security vulnerabilities open. Most surprisingly, even when password-based logins are disabled, some teams continue to share their SSO accounts.

In this article, we’ll explain why sharing accounts in your feature flag management platform is not only a security risk but also an obstacle to collaboration and effective use of the platform.

1. Exposure Risks

Let’s start with the obvious. Shared credentials are far less secure than unique user accounts. They are more likely to be leaked or mishandled. For example, shared credentials might be stored in an unsecured document or communicated over unencrypted channels, increasing the likelihood of exposure.

Worse, it’s difficult to revoke access for a single individual without affecting everyone else using the shared account. This increases the risk of unauthorized access, even after someone leaves the team or organization.

Individual user credentials, especially when managed through a secure password manager, offer a much lower risk of exposure.

2. Traceability and Auditing

Unleash provides an event log that tracks all actions within the platform. This is essential because feature flags directly control how your application behaves in production.

In highly regulated industries like healthcare, insurance, and banking, tracking individual actions is not just a good practice—it’s often a compliance requirement. For instance, SOC 2 compliance, which ensures secure data handling, mandates traceability of user actions. Shared accounts violate this principle, potentially leading to failed audits and financial penalties.

3. Access Control and Least Privilege

Unleash offers a sophisticated Role-Based Access Control (RBAC) system to meet complex access management needs. Every user should have access only to the features and actions necessary for their role.

With shared accounts, it’s impossible to enforce the principle of least privilege. Permissions must be set to accommodate the broadest set of needs, which can lead to overexposure of sensitive data or the ability to perform actions beyond a user’s responsibilities. For example, users who are supposed to manage development flags might inadvertently modify production configurations, potentially causing disruptions.

4. Incident Response

When a production incident occurs, identifying the person responsible is critical. Hopefully, you work in a blameless culture, where the goal is to learn from mistakes. However, you still need to know who should get the “three-armed sweater” as an appreciation gift for the most spectacular incident revealing gaps in your process. Shared accounts obscure this effort.

For instance, finding out which team member behind internal-users@mycompany.com enabled the Black Friday banner on Thursday could take some time.

In your blameless postmortem, you may also find that improving collaboration could prevent this mistake. Unleash makes it easy to collaborate—as long as your team members have individual accounts.

5. Degrading Collaboration

Unleash’s event timeline tracks recent changes and modifications, showing exactly who made what change. With shared accounts, you lose this granularity. Knowing who to contact about a particular change becomes a guessing game, which slows down collaboration.

Similarly, Unleash’s Change Requests offer unparalleled flag review capabilities. However, if five people share team@mycompany.com, you won’t know who is reviewing your changes, undermining the effectiveness of this feature.

6. Sacrificing a Personalized Experience

Unleash offers personalized dashboards and project overviews tailored to individual users. These pages display relevant projects, flags, and customizations, allowing users to focus on what matters most to them.

With a shared account:

• Users see irrelevant flags or projects.
• Filters and favorites set by one person affect everyone.

For growing teams, shared accounts quickly become a bottleneck. One user’s preferences can override another’s, leading to wasted time and frustration when finding relevant flags or projects. This reduces productivity and complicates user workflows.

Recommendations

If your team currently uses shared accounts, we strongly encourage you to review your organization’s security policies to determine whether this practice aligns with your compliance and security standards. To assist with security audits, Unleash proactively notifies admins when excessive logins from a single account are detected, highlighting accounts that may be at risk.

For enterprise users, we recommend enabling SSO without shared accounts and disabling password-based login to enhance both security and usability. In cases where you’re locked out, we can temporarily re-enable password-based login to restore access if needed.

By transitioning to individual accounts, you’ll benefit from enhanced security, clear accountability, and a more personalized user experience.