Skip to content

Giving support teams safe device access

Support teams need device access. Shared account passwords are not a safe or scalable way to provide it.

  1. Create a support team - separate from engineering and admin teams
  2. Scope device access - support sees customer production devices; engineering sees dev/staging
  3. Enable 2FA - require two-factor authentication on all accounts
  4. Use remote shell for diagnostics - avoid unnecessary public Wormhole exposure
  5. Review audit trails - periodically check who accessed which devices

What support should be able to do

  • Find devices by customer or site tag
  • Check online status and recent logs
  • Open remote shell for diagnostics and service restarts
  • Escalate to engineering with device context

What support should not do

  • Share one login across the team
  • Expose Wormhole services without application-level authentication
  • Make configuration changes without documentation