Using Shared Email Addresses on the Portal

This article outlines the reasons why signing up with shared or group email addresses (e.g. group emails like “[email protected]” or “[email protected]”) on the Feesable Portal is discouraged and highlights the potential risks and complications associated with this practice.

1. Lack of Accountability and Traceability

When multiple users share the same email address, it becomes difficult to track individual actions performed in the administration portal. This can lead to several issues:

  • No Individual Accountability: If multiple people are using the same email, it’s impossible to determine who performed specific actions. This creates a lack of accountability, particularly when mistakes are made or security breaches occur.
  • Audit Trail Complications: Many administration portals provide an audit log of user actions. When shared accounts are used, it hinders the system’s ability to maintain a clear, user-specific audit trail, leading to compliance issues and making it harder to investigate incidents.

 

2. Increased Security Risks

Using shared email addresses increases security vulnerabilities and exposes sensitive information to greater risk:

  • Password Sharing: Shared email addresses often lead to shared passwords. If this password is compromised, multiple users’ access can be affected, and it becomes difficult to contain the breach since many individuals rely on the same credentials.
  • Weak Authentication Controls: Shared email accounts prevent the use of advanced security measures like Multi-Factor Authentication (MFA) and IP-based security controls. These security measures are typically tied to individual users, and using shared emails makes their implementation less effective.

 

3. Inconsistent User Experience and Notifications

Using a shared email address can lead to communication and operational challenges for users:

  • Lost or Overlooked Notifications: Important system notifications or alerts might get lost or ignored, as multiple users share responsibility for managing the inbox. This can lead to missed deadlines, unaddressed system warnings, or missed critical updates.
  • Confusion in User Roles: Shared emails make it hard to assign user-specific roles or permissions, potentially leading to improper access or permissions being granted to the wrong individuals.

 

4. Compliance and Regulatory Concerns

In industries where compliance and regulatory requirements are strict (such as education), using shared email accounts can lead to non-compliance with various regulations:

  • Data Privacy Violations: Shared accounts increase the risk of improper access to confidential information, potentially violating data privacy laws such as the General Data Protection Regulation (GDPR) or the Australian Privacy Principles (APPs).
  • Regulatory Reporting: Many regulatory bodies require organisations to track individual access to sensitive information. Shared accounts prevent organisations from complying with these requirements.

 

5. Challenges with Account Recovery and Ownership Verification

When a shared email address is used, it becomes difficult to manage account recovery and ownership:

  • Recovery Issues: In the event that access to an account is lost or recovery is needed, shared email addresses can complicate the process. The true owner of the account may be unclear, leading to delays in account restoration or the possibility of improper access by unauthorised users.
  • Ownership Disputes: If multiple users have access to the same email, ownership disputes could arise, especially when employees leave or internal roles change.

 

6. Best Practices

To mitigate these risks and ensure a secure, efficient user experience, we recommend the following best practices:

  • Unique User Accounts: Each user should have a unique email address and login to ensure accountability, security, and a personalised user experience.
  • Use of Role-Based Accounts: If multiple individuals require similar access, consider using role-based user permissions, where each user still has a unique login but inherits the permissions necessary for their role. The Feesable Portal currently allows for ‘Viewer’ and ‘Admin’ – more roles will be available in the future.
  • Enable Multi-Factor Authentication (MFA): MFA adds an additional layer of security by requiring more than just a password for account access, ensuring that the account remains secure even if credentials are shared inadvertently.

 

Using shared email addresses to access the Portal poses significant risks related to accountability, security, compliance, and user experience. By ensuring each user signs up with an individual email address, organisations can enhance security, streamline operations, and maintain compliance with regulatory standards.

If you have any questions, feedback or to request changes, please contact [email protected].