What are break-glass account best practices?
Glassbreak Team · Published 2026-07-17
A safe break-glass account follows a short, consistent set of practices: restrict who can trigger it to a small named group, require more than one person's approval for anything high-value, grant access that's narrower and shorter-lived than routine access, log every trigger and approval — including denials — and store the underlying credential so no single person, including whoever runs the system, can read it alone. None of this is exotic. Teams that skip it usually don't do so on purpose; they just never got around to formalizing a process before an outage forced their hand.
The core practices
-
Name the trigger list, not just the account. Decide in advance exactly who can declare an emergency and initiate access — a small set of on-call responders or incident commanders, not "any manager." Everyone else should be limited to acknowledging or approving, never triggering.
-
Require quorum approval for anything high-value. For production credentials, root cloud access, or encryption keys, a single approver isn't enough. A threshold of independent people — two or more — should each have to approve before access is granted, so no individual account compromise or insider action is sufficient on its own.
-
Make emergency access narrower and shorter than routine access. It's tempting to grant broad access "just in case" during an incident. Do the opposite: scope the grant to exactly what the incident needs and set it to expire automatically rather than relying on someone remembering to revoke it later.
-
Log every trigger, approval, and use — including denials. A break-glass event that isn't logged didn't happen, as far as your next audit or incident review is concerned. Denied or abandoned requests are worth logging too; a pattern of failed attempts is itself a signal.
-
Store the credential so no single party can read it alone. This is the practice teams most often get wrong. A shared password in a password manager's admin vault, a secret in a spreadsheet, or a database row your own support staff could query are all single points of failure disguised as safeguards.
-
Test the procedure before an incident forces you to. Run a tabletop drill at least quarterly: trigger a real request, have approvers actually approve, and confirm access is granted and later revoked as designed. Expired approver credentials and stale runbook steps are common, quiet failure modes.
-
Rotate or review the credential after every real use. Even a legitimate break-glass event should end with a rotation (for a shared secret) or at minimum a review of what was accessed and why, closing the loop the same way you would after any other privileged access event.
Two mistakes that look like safeguards but aren't
A single admin who holds the master key "for emergencies." This is the most common failure pattern: a break-glass process built around trusting one person more than the rest of the team, rather than around a threshold of independent approvals. It works fine until that person is the one who's unavailable, compromised, or wrong.
A wide trigger list "so someone's always available." The instinct to widen access for coverage is understandable, but it converts a deliberate emergency path into a routine one. If ten people can trigger break-glass at any time, you've built a tenth password, not a controlled procedure.
How Glassbreak applies these practices
Glassbreak is built around this pattern rather than adding it on top. Break-glass secrets are split with threshold cryptography so recovering one requires a quorum of independent, authorized members to each approve — the server only relays already-encrypted material and never holds anything it could decrypt itself. You can read the specific algorithms and the threshold model on the security page. For teams that need approver identity bound to hardware rather than a phishable OTP, and time-boxed grants with a full exportable audit trail, the break-glass access management page covers the enterprise-oriented controls on top of that foundation. For the underlying vocabulary — what "break-glass" actually means and how quorum fits into it — see what is a break-glass procedure.
Getting started
You don't need an enterprise deployment to start applying these practices. Glassbreak's Free plan supports a single team, encrypted secrets, and quorum-based recovery today, with paid Team and Business plans adding unlimited teams, escalation rules, and audit logging (30 days on Team, 1 year on Business) as your process matures — see pricing for the specifics. The best time to write down your break-glass practices is before an incident makes you improvise them.
Frequently asked questions
- How many people should be able to trigger a break-glass account?
- As few as your team can operate with — usually a small, named set of on-call responders or incident commanders, not every manager or every engineer. Widening the trigger list is the single most common way teams quietly undo the safeguard, because a wide trigger list behaves like a shared password with extra steps.
- Does every break-glass account need quorum approval?
- It depends on the blast radius. A low-stakes credential with good logging may be fine behind a single authorized responder. Anything that reaches production data, root cloud access, or company-wide systems should require two or more independent approvers, so a single compromised or malicious account can't grant itself access.
- How often should a break-glass procedure be tested?
- At least once a quarter, and after any change to who holds approval rights or which systems the account reaches. A procedure nobody has exercised since it was written usually breaks in some small way — an expired approver credential, a renamed system, a runbook step that no longer matches reality — and an incident is the worst time to discover that.
- Should the same person who can trigger break-glass also be able to approve it?
- No. Separation between the person requesting access and the people approving it is the entire point of quorum-based break-glass. If a requester can also self-approve, or if a single admin holds both the trigger and the only approval, you've rebuilt a single point of failure with more paperwork around it.