43 Hardware-key break-glass super-admin
The 20 Break-glass admin + offline backup codes account's second factor is a hardware security key that lives in a sealed safe — never in a drawer, never in daily use. Registering the key is the easy part: the control is the custody around it, so the key is removed only in a witnessed ceremony and any authentication with it fires an alert, because an account nobody uses has no legitimate sign-in.
Documentation: Security best practices for administrator accounts ↗ · Manage a user's security settings ↗
Caveats
This is a process control — it is carried out offline, so there is no Admin Console walkthrough to show.
Ongoing maintenance
- requires a human Quarterly: repeat the retrieval-and-sign-in drill; check seal integrity between drills.
How to verify
Run the drill: retrieve the sealed key, sign in with it, confirm super-admin access, then re-seal. Log the drill with witnesses per the custody rules.
v0.0.2Prevent policy #17 · #13 ↗