If nothing else, the hack Wednesday evening of high-profile Twitter accounts should teach us that giving employees the ability to bypass normal controls and make changes to user accounts might be more dangerous than it's worth. That's apparently how we came to see Barack Obama, Elon Musk, and Joe Biden asking for Bitcoin handouts, and then have their accounts locked down completely.
Sure, it makes sense that a customer support person would need access to administrative features. If, for example, customers lock themselves out of their accounts or have another issue, it helps to be able to actually provide support.
Or, in Twitter's case, there are people who need to be able to do things like review content and issue temporary bans on accounts that violate company policies. But--and this is an important point--sending a password reset message to the email address on file isn't the same as having the ability to change that email address altogether, or the ability to turn off multifactor authentication. That may seem like a minor distinction, but it's actually the entire point.
Almost every cloud software platform has some form of administrative control over user accounts. But, and I think this is really the question at the moment: Who exactly should be able to access this "God mode"?
Maybe it makes sense for the CEO or the head of customer support to have some advanced level of access. Honestly, though, what CEO has time to be dealing with password-reset requests? As a result, someone else is going to have the ability to manage user accounts, but ultimately you have to ask yourself who should have that access, and what does it actually allow them to do.
The trade-off is between convenience and security. Having this sort of overarching ability to control user accounts sometimes means it's easier to solve problems for either the customer or for your company. At the same time, that means that you have chosen to create a point of failure in terms of security.
For example, if I forget my iPhone passcode and I'm not able to use FaceID or TouchID (perhaps because I restarted my device), there isn't anyone at Apple who can recover it for me. There's no backdoor to reset it. There's no God mode.
In that case, according to Apple:
If you backed up your iPhone, you can restore your data and settings after restoring your iPhone. If you never backed up your iPhone before you forgot your passcode, you won't be able to save the data on your iPhone.
Even doing that requires that I can connect my iPhone to my Mac. All of that may be inconvenient, but it means that no one else can access my device without the passcode. My iPhone is secure, and not even someone at Apple can get to my stuff.
If, on the other hand, one employee can log in to your system and override all of the security measures meant to protect your customers and their personal information, you have a very big problem. And that's not just true for platforms like Twitter. Even if your business is a boutique retail store, do your employees need access to the payment or personal information of your customers?
Even if you believe your employees are trustworthy, the very fact that such access exists means that you are creating a weakness in your security that can be exploited.
Which brings us back to Twitter. That is apparently exactly what happened this week, and it's a lesson to which every business should be paying attention. Having internal systems that allow for control and access might seem like a reasonable thing until you realize that it makes you vulnerable to what was most certainly Twitter's worst-case scenario.
No matter how much you trust your employees, it's always better to err on the side of security, even when it's less convenient.