How to manage 2FA for 'robot' accounts

We have created a ‘robot’ account for our CI/CD pipeline etc (As suggested by https://help.github.com/en/articles/types-of-github-accounts ), so the credentials, token etc is not stored by any one member of our dev team.

However, we want to use 2Factor Auth to secure this account for good security practice, and that ties to only one device for the OTPs, which defeats the purpose of having a seperate account that isn’t heavily tied to one person, and feels a bit like we are trying to do things the wrong way - have I missed something? Or do others just not enable 2FA for such ‘bot’ accounts?

3 Likes

> so the credentials, token etc is not stored by any one member of our dev team.

Where  do you store the credentials for this account then? Is it possible to store the 2FA codes there as well?

If you are storing the credentials inside of a password manager, you could consider storing the 2FA secret there as well. One one hand, this weakens security due to the fact that the password and the 2FA token are in seperate places so if your password manager get hacked you’re done. However, the secret still isn’t transmitted over the network ever, so it still is a lot safer than just using a password which seems to be the alternative.

So what did you end up doing?