# 36 Split-custody break-glass

> v0.0.3 · role: Prevent · [policy: #32 · #13, #3](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Splits the [20 Break-glass admin + offline backup codes](breakglass-admin.md) credential between two people: one holds the password, the other holds the security keys or backup codes. Neither can sign in alone, so a single coerced, compromised or malicious custodian cannot use the tenant's most powerful account. It is a two-person rule on the recovery path, done manually.

Documentation: [Security best practices for administrator accounts](https://knowledge.workspace.google.com/admin/users/security-best-practices-for-administrator-accounts)

## Caveats

- Do not confuse it with Multi-party approval (№22), which IS a console setting: MPA gates sensitive setting changes, including account recovery settings, but it cannot gate a sign-in itself — split custody puts the two-person rule on actually using the break-glass credential.
- Two custodians means two people must be reachable in an emergency — a split that cannot be reassembled at 3am is an outage, so name deputies and rehearse it.

_Process control — carried out offline; no Admin Console walkthrough._

## Ongoing maintenance

- **[requires a human]** Annually: repeat the reassembly drill and rotate the secret after use.

## How to verify

1. Run the reassembly drill: both custodians produce their halves and the credential works end to end. A split secret that has never been recombined is not known to exist.
