Is Sharing Logins with a VA Safe? What UK Small Businesses Need to Know

Every December, inboxes fill with “urgent” alerts, tempting bargains, password resets and scam emails dressed up as legitimate deals. And yet many UK small businesses still rely on sharing logins with a VA, especially during the busy December season. While small businesses are racing to finish client work before the holidays — and assistants are helping from multiple devices, locations and time zones — login security quietly falls apart.

And nothing causes more chaos, blame or financial loss than one thing:

shared logins.

If you’re a Virtual Assistant, OBM, bookkeeper or web designer, you’ve lived this: the client gives you their login and password, the 2FA code pings their phone at the worst possible moment, they forward it to you, and you both hope the system doesn’t log you out halfway through.

If you’re the client, you just want someone to “get on with it” without buying extra software seats or spending an afternoon navigating a platform’s user management menu.

But here’s the uncomfortable truth:

Sharing logins creates data privacy risks, audit trail problems and real-world financial loss — especially in the December–January period when scammers are most active.

This guide explains why, what can go wrong, and what both assistants and clients can realistically do to make delegation safer without breaking the bank or the relationship.

Why so many small businesses still share logins

Small business owners don’t wake up wanting to break security rules. They share logins because:

1. Additional user seats are expensive
Many starter plans — especially accounting, CRM and payment tools — don’t include multiple users unless you upgrade.

2. They assume it’s harmless
Plenty of small businesses think “it’s only me and my VA” or “we’ve always done it this way”.

3. LastPass (or similar) feels like a magic shield
Password lockers are helpful, but they don’t create an audit trail or distinct user identity.

4. They don’t know multi-user roles exist
Some platforms hide user-role features in confusing menus or put them behind paywalls. Others are using software licensed for personal use only that simply does not have this option.

5. They’re overwhelmed
In December, everyone’s tired and behind on admin. “Just use my login” feels quicker than sorting out proper access.

It’s understandable — but it’s risky.

The real problems caused by shared logins

Shared logins aren’t simply “a bit messy”. They create structural problems that affect:

• • data privacy

• • accountability

• • breach investigations

• • fraud claims

• • your working relationship

1. No identity separation

If two people share a login:

• • the system can’t distinguish who did what

• • every action is logged as the client

• • even obvious VA actions look like the client’s activity

• • no one can evidence who changed what, or when

That’s a GDPR problem because accountability and transparency are core principles.

2. No reliable audit trail

If a mistake, breach, or dispute occurs, you cannot determine:

• • who logged in

• • from which device

• • who made specific changes

• • who altered sensitive or financial data

This matters whether you’re dealing with:

• • customer database edits

• • website settings

• • payment processor configurations

• • accounting entries

• • email marketing lists

3. Assistants can be unfairly blamed

When everything appears as the client’s activity, it’s very easy for:

• • a platform to assume the client is responsible

• • a client to assume the assistant caused the problem

• • disputes to become personal

• • trust to evaporate

Even when the assistant was nowhere near the platform at the time.

4. Shared logins weaken breach investigations

If personal data is involved:

• • you cannot tell whether a breach came from the client, assistant, attacker, or all three

• • you cannot report accurately to the ICO

• • you cannot prove due diligence

• • you cannot meaningfully fix the problem

Which brings us to the financial side…

5. Shared logins encourage people to turn off 2FA entirely

This is the quiet disaster no one talks about.

When one login is shared between a client and an assistant:

• • 2FA codes go to the wrong person at the wrong time

• • tasks are held up because someone is in a meeting, on holiday, or walking the dog

• • codes expire

• • people resend them endlessly

• • everyone gets irritated

Eventually, someone says the fatal words:

“This would be easier if we just turned 2FA off.”

And they do.

The moment that happens:

• • account takeover risk spikes dramatically

• • scammers have a much easier job

• • financial data becomes vulnerable

• • breach detection becomes almost impossible

• • the assistant is suddenly operating in a high-risk environment they didn’t create

• • the client is no longer meeting their own data privacy responsibilities

Turning off 2FA doesn’t just make access easier — it removes the very thing that stops casual fraud becoming catastrophic loss.

Shared logins don’t just weaken security.
They motivate people to dismantle it.

When shared logins cause real financial loss

A recent case is the perfect illustration.

A friend discovered that someone had accessed a platform she uses to receive payments and silently changed the payout bank account. Payments went elsewhere for weeks.

She eventually got her money back — only because the audit logs proved she wasn’t the person who made the change.

If multiple people had been using the same login?

She would have had:

• • no evidence

• • no audit trail

• • no “this wasn’t me” defence

• • and no compensation

Shared logins destroy the ability to challenge fraudulent activity. Compared to the cost of another seat on your software platform, your losses are massive at this point. It’s like leaving your car unlocked because you didn’t buy a spare key, and then finding out it was stolen – you are not insured.

Why 2FA doesn’t solve the problem

Many people think two-factor authentication (2FA) fixes everything.
It does not.

Here’s the normal workflow for people sharing log ins with 2FA turned on:

• • client gives assistant the login

• • 2FA code goes to the client’s phone

• • client forwards the code

• • assistant logs in and continues

This protects access, but not identity.

The platform still sees all actions as being done by one user — usually the client.
Which means:

• • no accountability

• • no reliable audit trail

• • no ability to prove who made a change

• • and still no grounds for compensation if things go wrong

It also creates a bottleneck: both people must be available at the same moment, which is wildly inefficient. And when everyone is busy it just gets turned off to avoid repeat requests and everyone getting stressed. Perfect for scammers.

The trouble with sharing logins with a VA is that the system has no idea who is actually making changes

December is peak danger season

Between Black Friday and New Year:

• • scam volume spikes

• • people work from unfamiliar devices and networks

• • assistants cover for absences

• • owners are distracted

• • “urgent” scam messages become more convincing

• • rushed login sharing becomes the norm

It’s the perfect time for:

• • payment redirection

• • account takeover

• • fraudulent purchases

• • unexpected password resets

• • suspicious login attempts that go unnoticed

Shared logins make all of this harder to detect and impossible to untangle.

How to stay secure when sharing logins with a VA (what VAs and OBMs can realistically do)

No VA can say, “I won’t work with you until you have perfect systems.”
Clients would simply find someone less cautious.

So here are the realistic, relationship-friendly steps that work.

1. Explain the risk in simple terms

One sentence works wonders:

“When everyone logs in as you, the system can’t tell who did what — and if anything goes wrong, you have no way to prove it wasn’t you.”

People understand that instantly.

2. Ask for delegated access where available

Where platforms allow for:

• • assistant roles

• • limited access

• • content-only access

• • bookkeeping roles

• • team accounts

• • restricted permissions

…you can request them in line with the client’s own data-privacy obligations.

It’s safer and usually more efficient.

3. If shared logins are unavoidable, use a safer structured workflow

In the real world, some platforms refuse to offer team access unless you pay.

When that happens, you can still improve safety by agreeing:

• • assistant stores nothing locally

• • passwords shared only via secure means

• • client handles 2FA codes promptly

• • assistant schedules tasks that require 2FA

• • all changes to financial details handled directly by the client

• • assistant keeps a simple private “changes log” for clarity

• • client turns on bank or system alerts for suspicious activity

It doesn’t create a perfect audit trail — but it does prevent chaos.

4. Use your contract to set expectations (not police systems)

This matters for both clients and assistants.

KoffeeKlatch contracts don’t force your client to provide unique logins or upgrade their software.
But they do give you:

• • written data processing instructions (via the Data Processing Form)

• • a way to request safe access

• • a place to attach security standards

• • a framework for refusing unlawful instructions

• • clarity on responsibilities when the client chooses an insecure method

Your role is to follow the client’s instructions safely — not to rebuild their IT infrastructure.

5. Refuse only the riskiest tasks

If a client wants you to:

• • reset a bank login

• • change payout details

• • bypass 2FA

• • access government portals under their identity

• • alter financial settings in Stripe, HMRC, PayPal, Xero, banking apps

…it is entirely appropriate to say:

“I’m happy to help you, but this specific step must be completed by you directly. I can guide you through it.”

This protects both of you.

How to explain this to clients (scripts you can borrow)

Friendly

“To keep your business safe, it’s best if we can use separate access wherever possible. Where that isn’t available, I’ll follow your instructions, but we need a clear process so there’s an audit trail.”

Professional

“If anything goes wrong in a system, an audit trail is essential. Shared logins make that impossible. Let’s use roles where we can, and a structured workflow where we can’t.”

Urgent (post-scare)

“I can’t safely carry out that action using a shared login. It needs your direct access. I can guide you if you like.”

January planning

“As we head into the new year, it would be great to review which systems could support delegated access. It’ll make everything safer and more efficient.”

Final thoughts

Sharing logins feels quick, cheap and convenient — until something goes wrong.

Whether you’re a business owner delegating work or an assistant delivering it, the safest way forward is:

• • separate access where possible

• • secure shared access where not

• • clear written instructions

• • sensible boundaries

• • and a contract that reflects how data must be handled

Your systems don’t need to be perfect.
They just need to be safe enough to protect your money, your data, and your working relationships.

If you’d like help with the right contracts, data privacy wording, or GDPR-friendly processes for small online businesses, the KoffeeKlatch programme has you covered.