Why we only use personalized accounts ...

Do you know this? Your online agency is supposed to set up a digital payment method like Amazon Pay for your online store. To enable them to retrieve the credentials for payment processing, you pass on your Amazon Pay account including the associated password for the sake of simplicity, so that the service provider can configure your store accordingly. If you have already experienced this or something similar, you are not yet working with personalized accounts and should definitely read on.

Many are often unaware of any problem in the process. This may even be understandable at first glance. After all, the original problem has been solved, the online shop works, perhaps even brings in the planned revenue, and you as a customer are satisfied.

However, this approach carries a very high risk:
On the one hand, your service provider has insight into too much personal data that you are probably not authorized to share at all. He could, for example, see the payments processed, including address data, or, even worse, information about payments that have been rejected - for whatever reason. Unless he is supposed to analyze technical problems in a specific application, you are on extremely thin legal ice here.

However, this is often not even necessary: Almost all platforms offer the option of working with personalized accounts. With this principle, every employee involved - whether in your company or at a participating technology partner - has his or her own account with an associated password. Ideally, no one knows their colleague's password. Depending on the specific system for which you want to create accounts, you can also set specific permissions. For example, only the business managers would be allowed to view the transactions, the service provider may only access API credentials and the technical settings, and anyone who is not involved in the project would not be given access at all.

Content management systems such as TYPO3 or blog software such as WordPress also offer almost endless possibilities for access control here. Bonus points go to those who manage access rights centrally across the company - e.g. with our extension oauth2.

Those who consistently work with personalized accounts have even more advantages: It is always possible to see who has changed or viewed what. Staff fluctuations, whether within the company or externally, are also no problem. If employees leave, you can easily block their accounts. New colleagues are given access just as quickly as they need it. In this way, you can also fulfill the legal verification requirements in one go.

In addition to the assignment of personalized accounts, we also recommend - if possible - the use of so-called two-factor authentication, or "2FA" for short.

In addition to the password, this procedure also requires the entry of a six-digit one-time PIN, which is provided by a smartphone app such as Google Authenticator, for example. The advantage here is that access remains protected if the password falls into the wrong hands. You always need your password and smartphone at the same time to log in. The one-time PIN changes every 30 seconds and you have to check the app again to find out the current one.

Two-factor authentication allows a very high level of protection, but at the same time remains very user-friendly. Experience has shown that it is therefore quickly adopted by users.