Practical Implementation for SMBs & Shared Administrator Accounts
Real-World Challenge for SMB Organizations
Most Salesforce documentation assumes every administrator has their own dedicated Salesforce user.
In reality, many Small and Medium Businesses (SMBs) operate differently.
Typical reasons include:
- Limited Salesforce administrator licenses
- External implementation partners
- Managed service providers
- Business owners who occasionally administer Salesforce
- Cost optimization
A common setup looks like this:
System Administrator > Business Owner > Internal IT > Salesforce Partner > Support Consultant
Everyone uses the same administrator account when administrative work is required.
This approach has existed for years in many organizations.
The introduction of PR-MFA doesn’t necessarily prevent this model, but it does require organizations to rethink how authentication is managed.
Challenge 1 – Multiple Devices
Consider this scenario.
The same administrator works from:
- Office desktop
- Company laptop
- Home computer
- Mobile phone
Good news
This scenario is generally straightforward.
Salesforce allows multiple phishing-resistant authentication methods to be registered for the same user.
For example:
Admin User > Windows Hello (Office) > Windows Hello (Laptop) > Face ID (iPhone) > Backup Security Key
This is actually considered a good operational practice because it provides resilience if one device becomes unavailable.
Perigeon Recommendation
For administrators who regularly work across multiple devices:
- Register a passkey on each trusted device.
- Register a backup FIDO2 security key.
- Remove passkeys from retired or replaced devices.
Challenge 2 – One Administrator Shared by Multiple People
This is the question we receive most frequently.
Example:
System Administrator > Business Owner > IT Manager > Salesforce Partner > Support Engineer
Because there is only one administrator license.
Many SMB organizations are asking:
“How do we continue working without purchasing additional administrator licenses?”
Does Salesforce Prevent This?
Not necessarily.
PR-MFA focuses on how privileged users authenticate, not on Salesforce licensing.
However, organizations should ensure that whatever operational model they adopt aligns with their own security, audit, and compliance requirements.
Perigeon Practical Recommendation
The following recommendations are intended for organizations that:
- Understand the implications of sharing administrator credentials.
- Have documented internal approval for this operational model.
- Are seeking a practical approach while working within licensing constraints.
These recommendations are not official Salesforce guidance.
Option 1 – Use an Enterprise Password Manager Supporting Passkeys
This is our preferred approach for many SMB customers.
Several enterprise password managers now support FIDO2/WebAuthn passkeys.
Examples include:
- 1Password
- Bitwarden
- Keeper
- Dashlane
Instead of registering separate passkeys on every device manually, the administrator passkey can be securely stored in a managed vault and synchronized to approved users and devices, subject to the capabilities of the chosen password manager and your organization’s policies.
Benefits
- Simplifies passkey management.
- Easier laptop replacement.
- Centralized recovery.
- Secure synchronization.
- No physical key distribution.
Considerations
Before adopting this model:
- Verify that your password manager supports shared passkeys under your licensing plan.
- Enable audit logging where available.
- Restrict vault access to only authorized personnel.
- Periodically review vault membership.
Option 2 – Register Multiple Trusted Devices
If the administrator account is primarily used by the same individual, simply register multiple trusted devices.
Example:
Admin User > Desktop > Laptop > MacBook > iPhone > Backup Security Key
This avoids dependency on a single device.
Option 3 – Maintain a Recovery Device
Business continuity is often overlooked.
Imagine:
- Laptop fails.
- Mobile phone is lost.
- Administrator is travelling.
Without a recovery method, access may be delayed.
We recommend maintaining:
- One FIDO2 Security Key stored securely.
- One documented recovery procedure.
- One alternate trusted device.
Challenge 3 – External Salesforce Partners
Many organizations provide administrator access to:
- Salesforce consulting partners
- Managed service providers
- Offshore development teams
If a shared administrator account continues to be used:
Consider:
- How will the partner authenticate?
- Who manages passkeys?
- What happens when the project ends?
Perigeon Recommendation
If licensing allows:
Create a dedicated administrator account for the implementation partner.
If not:
Use an enterprise password manager with:
- Role-based access
- Audit logging
- Time-limited vault access
- Documented offboarding procedures
Challenge 4 – Device Replacement
This is one of the most common support requests.
Example:
Old Laptop > Windows Hello Passkey > Laptop Replacement
Recommended process:
- Login using another registered authentication method.
- Register the new device.
- Remove the old device.
- Validate login.
- Update internal documentation.
Challenge 5 – Employee Leaves the Organization
If an administrator leaves:
Immediately:
- Remove password manager access.
- Rotate shared credentials if applicable.
- Remove registered passkeys associated with their devices.
- Review trusted devices.
- Validate remaining recovery methods.
Choosing the Right Authentication Model
| Scenario | Recommended Approach |
|---|---|
| One administrator, multiple devices | Register passkeys on all trusted devices. |
| Shared administrator account | Enterprise password manager with passkey support (subject to policy). |
| High-security environment | FIDO2 security keys. |
| Frequent device replacement | Password manager or multiple registered passkeys. |
| Managed service provider | Dedicated admin account where possible, otherwise controlled shared vault access. |
Password Managers Supporting Passkeys
| Product | Passkey Support | Enterprise Sharing | Suitable for SMB |
|---|---|---|---|
| 1Password | ✅ | ✅ | ⭐⭐⭐⭐⭐ |
| Bitwarden | ✅ | ✅ | ⭐⭐⭐⭐⭐ |
| Keeper | ✅ | ✅ | ⭐⭐⭐⭐ |
| Dashlane | ✅ | ✅ | ⭐⭐⭐⭐ |
Note: Features vary by edition and subscription. Always verify the capabilities of your chosen product before relying on it for shared passkey management.
Perigeon’s Perspective
Salesforce’s objective is to strengthen authentication for privileged users through phishing-resistant methods. Every organization, however, has its own operating model.
For many SMB customers, immediately purchasing additional administrator licenses may not be practical. In these cases, organizations should evaluate solutions that maintain operational continuity while aligning with their own security policies.
Perigeon recommends assessing:
- The number of privileged users.
- How administrator accounts are currently used.
- Whether passkeys can be managed through an enterprise password manager.
- Recovery procedures for lost or replaced devices.
- Periodic reviews of who has access to shared authentication resources.
There is no single approach that fits every organization. The right solution should balance security, operational efficiency, licensing constraints, and business continuity.