Skip to main content
MyITCyberBack to home
← Insights·Access Security

Break Glass Accounts: Necessary, but Dangerous

·2 min read
Break glass emergency admin account illustration. In the center, a 'break glass account' box behind a cracked glass overlay holds a glowing amber emergency key labeled 'emergency access', with a 'break glass · use only in emergency' banner across the top and a small hammer attached by a chain. Tags below read 'powerful · last resort · not for daily use'. On the left, a 'when normal access fails' panel in amber lists three failure scenarios, identity services down, MFA not working, admins locked out. On the right, a 'why it is dangerous' panel in amber lists three risks, full admin power, attackers' dream, quiet when unwatched. Below, a 'safeguards · make the emergency key hard to steal' strip shows six equal pills: strong password, secure storage, limited ownership, monitoring, alerts on use, regular review, with a corner pill 'available when all else fails'.

Every organization needs a backup plan for access. When identity services are down, MFA is broken, or the regular admins are locked out, break glass accounts are how the company gets back in. The same accounts are also a dream target for attackers, which is why they need strong credentials, safe storage, limited ownership, monitoring, alerts on use, and a real review cadence, not a sticky note in a drawer.

Every organization needs a backup plan for access.

  • What happens if identity services are down?
  • What happens if MFA is broken?
  • What happens if the main admin accounts are locked out during an emergency?

This is why break glass accounts exist.

A break glass account is an emergency account used only when normal access methods are not available. It can help the organization recover control during a serious incident.

But this type of account is also dangerous.

Because it is powerful, attackers would love to find it. If it is not protected correctly, it can become the easiest way into the environment.

  • A break glass account should not be used for daily work.
  • It should not be shared casually.
  • It should not have a weak password.
  • It should not be ignored after it is created.

It needs clear rules.

  • A strong password and a strict storage process.
  • Limited ownership, only a few named people.
  • Monitoring on the account itself.
  • An immediate alert any time it is used.
  • Every use logged and investigated.
  • Regular review on a fixed cadence.

Some organizations also keep more than one emergency account, stored and monitored separately, so they are not dependent on a single point of failure.

The goal is simple.

Break glass accounts should be available when everything goes wrong, but protected so well that nobody uses them unless it is truly necessary.

// related reading
Two local-admin models compared. On the top-left, a 'permanent local admin' card in amber shows a laptop with a permanently lit amber 'admin' shield surrounded by four risk chips, install any software, change system settings, disable protection, run unknown tools, with footer pills 'no approval · no MFA · no review'. On the top-right, a 'just-in-time local admin' card in teal shows the same laptop where three app tiles sit on the screen but only one is elevated with a teal admin shield and a countdown timer reading '12:30', tagged '1 app · 15 min' with footer pills 'approved · MFA · auto-expires'. Between them, a small 'EPM' badge. Below, an 'EPM lifecycle · app elevation on the endpoint' panel shows six numbered stages connected by arrows: user (baseline) → app needs admin (request) → approve + MFA (verified) → app elevated · 15 min (scoped, highlighted) → audit log (every action) → auto remove (back to baseline), with a curved arrow returning to the start. At the bottom, a 'works across endpoints' strip shows three generic device illustrations labeled Windows, macOS, and Linux (no operating-system logos), with a 'temporary · visible · controlled' pill in the corner.
Access Security

Local Admin Rights Should Not Be Permanent

Privileged access is not only a cloud problem. While most security work focuses on admin roles in Microsoft 365, cloud platforms, firewalls, and servers, the local admin rights sitting on every laptop are often quietly forgotten. Endpoint Privilege Management replaces permanent local admin with controlled, per-app, time-limited elevation, so users keep working without the endpoint becoming the soft underbelly of the environment.

Read article
Two admin models compared. On the top-left, a 'standing admin' card in amber shows a user with a permanently lit crown and footer pills 'no expiry · no approval · no review'. On the top-right, a 'just-in-time admin' card in teal shows the same user with a teal crown attached to a small countdown timer reading '03:47', tagged 'admin · 4h' and 'requested · approved · auto-expires'. A small 'PIM' badge sits between them. Below, a 'PIM lifecycle · from request to expiry' panel shows six stages connected by arrows: user (baseline) → request (elevation ask) → approve + MFA (second person) → admin · 4h (time-limited, highlighted) → audit log (every action) → auto expire (back to user), with a curved arrow returning to the start, a labels strip reading 'requested · approved · MFA · time-limited · logged · reviewed', and a 'reduced standing privilege' pill in the corner.
Access Security

Privileged Identity Management: Admin Access Should Not Be Permanent

Admin access is one of the most sensitive things in any organization, yet many companies still treat it as something permanent. Permissions are granted and quietly stay. Privileged Identity Management flips the model, admin rights are requested when needed, approved, MFA-enforced, time-limited, logged, and reviewed. The goal is not to make work harder. It is to make admin access controlled, visible, and temporary.

Read article
Back to all insights