How to Give Virtual Assistant Access to Tools Safely

Why Tool Access Is the Most Skipped Step in VA Onboarding

Businesses spend weeks deciding which VA to hire and almost no time figuring out how to actually give them access to the tools they need. The result is predictable: the VA starts their first week unable to log in to anything, wasting hours while the business owner scrambles to share credentials over Slack -- usually in plain text, without any access controls.

This is both a productivity problem and a security problem. Poor access management is one of the top reasons VA relationships fail in the first 30 days -- not because the VA was the wrong hire, but because the setup was never done properly.

Getting tool access right takes about two to three hours upfront. It protects your accounts, speeds up onboarding, and makes offboarding clean if the engagement ever ends.

Step 1 -- Map Every Tool the VA Will Need

Before you create a single login, write out every tool your VA will touch. This list is more useful than most managers expect -- it often surfaces tools the business has been using inconsistently or accounts that are shared in ways they should not be.

A typical list for an admin/operations VA might include:

• Gmail or Outlook (with a specific scope -- inbox management, drafting, calendar)
• Google Workspace or Microsoft 365 shared drives
• Project management tool (Asana, Trello, ClickUp, Notion)
• CRM (HubSpot, Salesforce, Zoho)
• Communication platform (Slack, Teams)
• Social media scheduling tool (Buffer, Later, Hootsuite)
• Bookkeeping software if applicable (QuickBooks, Xero)

Once you have the list, identify which category each tool falls into:

Native user accounts -- The tool supports individual user accounts with permission levels. Create a dedicated account for your VA. Do not share yours.

Password-managed shared accounts -- The tool has only one login (e.g., a social media account, a shared inbox). Use a password manager to share access without revealing the actual password.

SSO-enabled tools -- The tool allows single sign-on through Google or Microsoft. Provision access through your identity provider rather than creating a separate credential.

Step 2 -- Use a Password Manager for Shared Credentials

For any account that cannot support multiple users natively -- a shared Twitter account, a brand email alias, a subscription tool with one seat -- a password manager is the right solution. The VA can log in through the shared vault entry without ever seeing the actual password.

1Password Teams, Bitwarden (open source and free for small teams), and Dashlane Business all support shared vaults with granular permissions. You can share specific credentials with your VA without giving them access to your full vault, and you can revoke access instantly when needed.

Never share passwords in Slack, email, or any communication tool. Even ephemeral messages can be recovered from logs or screenshots. A password manager with audit logging is the correct path -- it also gives you a record of every time a credential was accessed.

Step 3 -- Apply the Principle of Least Privilege

Every tool access you provision should be scoped to the minimum needed to do the job. This is called the principle of least privilege, and it is the single most effective security practice for remote team management.

Practical applications:

• Give your VA "Editor" access in Google Drive for the folders they work in -- not admin access to the entire Drive.
• In HubSpot, assign the "Sales" or "Marketing" role rather than "Super Admin."
• In Gmail, use delegation (Settings > Accounts > Grant access) so they can manage your inbox without knowing your password or accessing your personal Google account data.
• In social media tools, use the built-in "Publisher" or "Analyst" roles rather than account owner access.

Start narrow. You can always expand permissions as the VA demonstrates reliability and their scope of work grows.

Step 4 -- Enable Two-Factor Authentication

Two-factor authentication (2FA) adds a second verification layer that protects accounts even if a password is compromised. For accounts your VA accesses, configure 2FA in a way that does not block their access.

Options that work well for VA access:

• Authenticator app shared via code -- Generate the 2FA setup QR code and share it with your VA so they can add it to their own authenticator app. Both of you then have 2FA codes for the same account.
• Email-based 2FA to a shared inbox -- Works if the shared inbox is itself secured properly.

For accounts that route 2FA codes to your personal phone, either use an authenticator app approach or switch the 2FA method to an email address your VA can access.

Step 5 -- Document Access and Plan for Offboarding

Create a simple access log -- a spreadsheet is fine -- that lists every tool, the type of access granted, the date provisioned, and the account email used. This document serves two purposes: it is your onboarding checklist for future VAs, and it is your offboarding checklist when the engagement ends.

When an engagement ends, work through the list systematically: revoke user accounts, change passwords on shared credentials, remove the VA from shared vaults, and audit any accounts that used email delegation.

According to NIST's guidelines on access management, maintaining a current inventory of who has access to which systems is a foundational security control -- and it applies equally to full-time employees and contract remote workers.

Stealth Agents VAs Are Experienced With Secure Onboarding

If you are hiring a VA for the first time, know that experienced VAs are used to this process. They have been through it with other clients and know not to ask for more access than they need or to push back on security protocols.

Stealth Agents provides dedicated full-time VAs -- not part-time or shared -- which means your VA builds consistent familiarity with your systems over time. You set up access once, and the same person maintains that access responsibly rather than rotating in and out. Stealth Agents VAs start at $10/hr and arrive with the professional discipline that makes secure onboarding straightforward rather than adversarial.

FAQ

Q: Should I create a separate email address for my VA?

A: For most business tools, yes. A VA-specific email (e.g., assistant@yourdomain.com) lets you provision accounts cleanly, receive work-related notifications separately, and revoke access by disabling that address when needed.

Q: What if a tool does not support multiple users?

A: Use a password manager with shared vault access. The VA logs in through the vault entry and never sees the actual password. This applies to most single-seat subscriptions and social media accounts.

Q: Can I give my VA access to my Gmail without sharing my password?

A: Yes. Gmail supports delegation -- you can grant a second user access to your inbox for reading, responding, and managing without sharing your Google account password. Go to Gmail Settings > Accounts and Import > Grant access to your account.

Q: How do I revoke access quickly if I need to end the arrangement?

A: Work through your access log: disable user accounts, rotate shared passwords in your password manager, remove delegated inbox access, and remove the VA from any shared drives or communication platforms. If you documented access during onboarding, this takes under an hour.

Q: What is the biggest security mistake businesses make with VAs?

A: Sharing master account passwords over Slack or email. This gives the VA access to everything associated with that account, leaves no audit trail, and makes clean offboarding nearly impossible. Always use proper access controls from day one.