In this particular case "best practice" is what the site decides.
In one instance where I worked, there was a designated production user. The account itself couldn't be logged in, BUT staff users that were authorized to use the account could get logged by first authenticating via Kerberos, then they could their personal credentials to remotely login to the account.
In this way, we had control over the account, and audit logs of who, when, and from where, they logged in. Without Kerberos, there is no auditing of who is getting logged in. sudo can SORT of do it, but not all information can be recorded (specifically, the "from where").
ssh logins using RSA can also sort of do it... but it then depends on the security of the users workstation to protect the private keys...
Last edited by jpollard; 12-28-2014 at 01:05 PM.