Sharing Passwords the Safe Way in 2025 — And How Passkeys & 2FA Change Everything
Sharing Passwords the Safe Way in 2025 — And How Passkeys & 2FA Change Everything
We all share a password now and then. Your guests need the Wi-Fi key. Your partner needs the council account. And sure, families still try to stretch one streaming plan. If you’re going to share, do it in a way that doesn’t leak the secret, and that you can revoke in seconds.
The short answer: use a password manager with built-in sharing, not email, texts, or screenshots. And because more sites now use passkeys and 2FA/MFA, you’ll want to know what you can share, what you shouldn’t, and what to set up instead.
TL;DR
- Best method: share through a password manager (single-use link or shared vault/folder).
- Avoid: texting, emailing, or pasting passwords in chats.
- Passkeys: you can’t “tell” someone a passkey. Either add them as a user on the account, share the passkey using a manager that supports it, or set up their own login.
- 2FA/MFA: don’t forward one-time codes. Use shared TOTP in the manager, hardware keys with multiple keys enrolled, or app-based approvals that support more than one device.
- Always: set permissions, expiry, and keep a revoke button one tap away.
Why a Password Manager Beats Every Other Method
A good manager lets you:
- Share one item once with a single-use link (expires automatically).
- Share a folder/vault for ongoing stuff (home utilities, school logins).
- Set view-only or no-export rights so the other person can use the login without copying it out.
- Add expiry dates and revoke access on the spot.
- Include the TOTP code for sites that use app-based 2FA (more on this below).
Managers like Bitwarden, 1Password, Proton Pass, Dashlane, Keeper, NordPass and others all have some mix of these. The exact names differ, but the idea is the same.
Do not: send passwords by SMS, email, or a messaging app. Those stick around, get forwarded, and are easy to screenshot.
Passkeys 101 (and Why Sharing Works Differently)
Passkeys replace passwords with a key pair stored on your device(s). Your phone or laptop proves “it’s you” using Face/Touch ID or a PIN. There’s no password string to read out loud or paste.
What this means for sharing:
- You can’t tell someone your passkey. It’s not a phrase; it lives on your device(s).
- Some managers and platform vaults now support passkey sharing inside a shared vault/group. If both sides use compatible apps, this can work well.
- If passkey sharing isn’t supported, add the other person as a user on the service (family plan, team seat, or guest access). They get their own passkey.
- For services that only allow one user, you may need to keep a traditional password (plus MFA) for shared access, or switch to a plan that supports multiple users.
Good rule of thumb: share access, not secrets. With passkeys that usually means adding people as users rather than passing around “the” key.
2FA/MFA: What Actually Works When You Share
Two-factor (2FA) and multi-factor (MFA) are great until you try to share an account and the code lands on one person’s phone. Here’s a quick matrix:
| Factor Type | Can You Share? | How to Do It Safely | What to Avoid |
|---|---|---|---|
| TOTP app code (Authy, Aegis, built-in manager) | Yes | Store the TOTP secret with the login inside a shared vault so everyone gets the rolling 6-digit code | Sending the QR/secret by chat or email |
| Push prompt (app asks “Approve?”) | Sometimes | Add more than one device/account as an approver, or use the service’s family/team features | Forwarding screenshots of “Approve?” prompts |
| SMS code | Technically | Switch to TOTP or security keys. If you must, use a dedicated number not tied to banking and lock the SIM with a PIN | Using a personal SIM that’s at risk of SIM-swap |
| Backup codes | With care | Store in a separate shared item with view-only access and no export; rotate after use | Stashing in email drafts or cloud notes |
| Security keys (FIDO2/WebAuthn, like YubiKey) | Yes, with planning | Enroll at least two keys on the account. Give each person their own key. Keep one spare in a safe place | Sharing a single key hand-to-hand with no backup |
| Passkeys | Yes, but different | Either share via a manager that supports passkeys or add them as a user so they create their own passkey | Trying to copy a passkey like a password (you can’t) |
Tip: for long-term shared accounts, aim for TOTP in the shared vault or multiple hardware keys enrolled. Both are steady and don’t depend on one person’s phone number.
Pick the Right Share for the Job
| Situation | Best Approach | Why |
|---|---|---|
| Guest Wi-Fi | Put the Wi-Fi password in a QR code and print it, or share a single-use link from your manager | Easy, no typing, and you can rotate later |
| One-off login (parcel, school portal) | Single-use share with expiry | They get in once; you don’t leave a trail |
| Household utilities | Shared vault with view-only and no-export | Everyone can pay bills without copying secrets |
| Streaming account | Check the ToS. If you still share, use a shared vault and enable TOTP in-vault | You can revoke fast if things go sideways |
| Business or group | Don’t share logins. Use team seats and per-user access | Clear audit trail, easy off-boarding |
Set It Up (Once) and Save Yourself Headaches
- Choose a manager that supports: single-use links, shared vaults, per-item permissions, and TOTP.
- Create a “Shared” vault/folder for the right people.
- Add items with titles people understand (no mystery labels).
- For 2FA, store TOTP with the login or enroll multiple hardware keys.
- Set view-only and no-export rights where it makes sense.
- Use expiry for temporary shares.
- Test a revoke so you know how fast you can pull access.
- Turn on emergency access / digital legacy for your closest contact.
Red Flags (and Safer Swaps)
- “Text me the code” → Add them as an MFA approver or move to shared TOTP.
- “Can you email the password?” → Send a single-use share link with expiry.
- “I’ll just screenshot it” → Use view-only access so they can auto-fill but not copy.
- “We only have one key” → Enroll two or more security keys and label them.
Passkeys + Families: What to Expect
Passkey support is getting better in managers and platform vaults. Family features now often allow:
- Shared collections that include passkeys, not just passwords.
- Per-person device syncing so everyone’s Face/Touch ID works.
- Easy removal when someone leaves the group.
If your setup doesn’t support this yet, fall back to per-user accounts on the service or keep a password + TOTP flow for now.
Digital Legacy (Without Turning Your Vault Inside Out)
If something happens to you, someone you trust should be able to shut down accounts and protect the household from scams.
- Enable your manager’s emergency access and choose a wait period (for example, three days).
- Share only what they’ll need in a legacy folder (banking, utilities, key emails).
- Keep backup codes and one spare security key labeled and stored safely.
Quick Do/Don’t List
Do
- Share through your manager, not chats or email
- Use view-only, no-export, and expiry
- Store TOTP with the login or enroll multiple keys
- Keep a revoke playbook
Don’t
- Send passwords or codes in plain text
- Rely on SMS for shared accounts
- Leave backup codes in inboxes
- Share anything that breaks the service’s terms (your call, your risk)
And that’s it. Share when you have to, but keep control. With a decent manager, a plan for passkeys, and MFA set up the right way, you can help the people you trust without handing attackers a free pass.