Break-glass / PAM-adjacent

Emergency privileged access that auditors actually like.

Time-boxed, quorum-gated access to the credentials you keep locked away — production root, certificate authorities, DR keys — with WebAuthn at the door and an immutable record of every grant. Separation of duties that holds up under a SOX, ISO 27001, or SOC 2 review.

T-of-N
Quorum enforced in the database (T ≥ 2)
WebAuthn
Phishing-resistant approver identity
0
Standing privileged entitlements
100%
Of grants on the immutable timeline

The problem with most break-glass

Break-glass is usually a shared password in a sealed envelope, a vault item one admin can open, or a ticket that grants standing access nobody remembers to revoke. Each is the same finding in an audit report: no separation of duties, phishable authentication, and a trail you have to reconstruct after the fact. The credential is the most dangerous one you hold, and it is the one guarded the least well.

How Glassbreak break-glass works

Each card pairs the operational pressure with the concrete mechanism. The cryptography is documented on the security page.

T-of-N quorum approval

The pressure

A single privileged account that one person can unlock is a single point of compromise and a single point of audit failure. Auditors want separation of duties on the most dangerous credentials, not a shared password.

Glassbreak supplies

Break-glass secrets are split T-of-N, with T ≥ 2 enforced by a database CHECK constraint — not just application logic. An approver decrypts their share locally and re-encrypts it for the requester; the platform never holds a usable key. No individual, including a Glassbreak operator with full database access, can unlock content alone.

WebAuthn / passkey at the door

The pressure

OTP and push-prompt MFA are phishable and fatigue-prone. For the credentials that matter most, approver identity has to be bound to hardware.

Glassbreak supplies

Approvals are gated by WebAuthn — a hardware-backed passkey or security key. Phishing-resistant, origin-bound, and unforgeable. A quorum of WebAuthn approvals is the strongest practical assurance that the right humans authorised the grant.

Time-boxed, auto-expiring grants

The pressure

Standing privileged access is the finding auditors love to write up. Access granted for an incident and never revoked becomes tomorrow’s breach path.

Glassbreak supplies

Every grant is time-boxed with automatic expiry. Access exists for the window the quorum authorised and then revokes itself. Just-in-time by construction — there is no standing entitlement to forget about.

Full, immutable audit trail

The pressure

When the access review or the post-incident report comes, you need to answer who requested, who approved, what was reached, and when — without reconstructing it from logs scattered across systems.

Glassbreak supplies

Every request, approval, WebAuthn assertion, grant, and revoke is recorded with cryptographic integrity and exported as PDF or JSON. The break-glass timeline is the evidence — for the board, the auditor, or the supervisory authority.

Quorum that reaches the approvers

The pressure

A break-glass policy that depends on Slack being up fails at exactly the moment you need it. Approvers must be reachable when the primary stack is part of the outage.

Glassbreak supplies

Approval requests fan out over multi-channel emergency delivery — SMS, email, push, voice fallback — with acknowledgement tracking. The quorum forms even when your corporate chat is degraded.

Recovery-plan integration

The pressure

Break-glass access is rarely an end in itself. It is step three of a recovery runbook — and the runbook should drive the grant, not a separate ad-hoc request.

Glassbreak supplies

Break-glass secrets are referenced directly from runnable, checkable playbooks. A recovery step requests exactly the credential it needs, under the quorum policy that step requires, with the whole run captured in one audit timeline.

Mapped to the controls auditors test

The same quorum-and-audit primitives produce evidence across the frameworks an enterprise is assessed against. See the broader alignment for SOC 2 and ISO 27001.

SOX

ITGC — access to financially-relevant systems

Quorum approval enforces segregation of duties on privileged access; the immutable trail evidences who approved each grant for the IT general controls testing your external auditor performs.

ISO/IEC 27001:2022

A.5.15 / A.5.16 / A.5.18 — access control & privileged rights

Time-boxed, quorum-gated grants and clean revocation map to the privileged access management and access-rights review controls. Cryptography (A.8.24) and logging (A.8.15) are evidenced by the same trail.

SOC 2

CC6.1 / CC6.2 / CC6.3 — logical access

Least-privilege, just-in-time elevation, and authorisation of access map to the common-criteria logical access controls; the audit export feeds straight into your Type II evidence.

HIPAA Security Rule

164.312(a)(2)(ii) — emergency access procedure

A defined break-glass procedure with quorum approvals and per-actor accountability is exactly the emergency access procedure the Security Rule requires for systems handling protected health information.

NIST CSF 2.0

PR.AA — identity management & access control

WebAuthn authentication, quorum authorisation, and time-boxed entitlements map directly to the Protect function’s authentication and access-control outcomes.

PCI DSS 4.0

Req. 7 & 8 — access control & strong authentication

For operators in scope of a cardholder data environment, role-separated quorum access and phishing-resistant authentication satisfy the related access and MFA requirements.

PAM-adjacent, not a PAM rip-and-replace

Keep your PAM for day-to-day session brokering and rotation. Glassbreak is the resilience layer on top: the multi-party, hardware-gated, audit-grade path you reach for when the action is dangerous enough to require a quorum — or when the PAM itself is part of the outage. It runs on independent verticals so the break-glass path survives a single-cloud failure.

Frequently asked questions

Is Glassbreak a PAM tool?

It is PAM-adjacent. Glassbreak focuses on the break-glass case — emergency, quorum-gated access to the credentials you keep locked away — rather than day-to-day session brokering and password rotation for every privileged account. Run it alongside your PAM as the resilience layer: when the PAM itself is degraded, or when the action is dangerous enough to demand multi-party approval, break-glass through Glassbreak.

What does T-of-N mean for break-glass access?

A secret is split into N shares, and any T of them are required to reconstruct it, with T ≥ 2 enforced by a database constraint. For example, 3-of-5 means three of five approvers must each authorise before the requester can decrypt. No single person — and no Glassbreak operator — can unlock the credential alone.

Why WebAuthn instead of OTP or push approval?

WebAuthn passkeys are hardware-backed and origin-bound, so they resist phishing and MFA-fatigue attacks that OTP and push prompts do not. For emergency privileged access, the assurance that the right humans approved has to be as strong as the credential is dangerous.

How do time-boxed grants prevent standing access findings?

Each grant carries an expiry set when the quorum approves it. When the window closes the access revokes automatically, so there is no lingering entitlement for an access review to flag. Privileged access exists just-in-time and only for the authorised window.

What evidence does an auditor get?

An exportable, cryptographically-integrity-protected timeline: who requested, which approvers authorised, the WebAuthn assertions, the grant, the systems reached, and the revoke — as PDF or JSON. It maps to SOX ITGC, ISO 27001 access controls, and SOC 2 CC6 without manual reconstruction.

Show your auditor the timeline

Book a demo to walk a quorum-gated break-glass grant end-to-end against your control set, or start free and configure a T-of-N secret with WebAuthn approvers yourself.

Glassbreak does not provide legal advice. Control mappings describe the technical and operational artefacts the platform can produce; they do not assert certification. Customers should confirm applicability with qualified counsel and their compliance functions.

This page is provided for transparency and does not constitute legal advice.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.