Shared Account
Overview
Some organizations rely on shared accounts for accessing workstations. For example, in a factory’s assembly line, shared accounts are used between the employees to perform a designated set of operations. These shared accounts have specific access and are used by the employees. The problem with shared accounts is that there is no visibility into which employee is using the shared account thereby lacking traceability. Also, there is a security risk around sharing credentials of the shared accounts. To address these, 1Kosmos has implemented a streamlined login using the shared account feature that shows a list of shared accounts available for authentication based on a user’s authorization.
The Windows Workstation MFA agent allows users to select from accounts that are shared across multiple users or systems, simplifying access management and streamlining the login process. It helps in managing credentials for accounts that are used collaboratively or across different devices and environments. The Shared Account can be enabled to appear on the Adaptive Auth screen based on an initial authentication of the primary user account – which could be done through push notification, QR, OTP or FIDO. Based on the configured adaptive journey, the corresponding multi-factor authentication methods will be displayed on the Sign In – Choose an authentication method screen. For example, after validating with FIDO, users could be prompted for shared account selection (if they are authorized to use shared accounts). The user will land on the Choose shared account screen where they can select the required shared account. Once selected, the password of the shared account is fetched from CyberArk (Windows Workstation MFA works only with CyberArk) and passed directly to the OS for login.
Login with Shared Account
The Windows Workstation MFA agent allows users to log in to their workstation using shared account(s) allocated to multiple users.
The user can either select a username available on the screen or use the Other User tile in the login screen to perform the authentication process. If a user can use multiple shared accounts, the Sign In – Choose shared account screen shows the list of all the shared accounts.
To access the shared account, follow these steps:
-
In the login screen, either select a username or click the Other User tile and then click the BlockID option.
-
If you have selected the username, click the Sign in button. If you have selected the Other User tile, the Sign In – Enter your username screen appears where you can enter your username and click ->.
-
Based on the configured adaptive auth journey, the authentication method displays the appropriate options; Here, the user selects Security Key in the Choose an authentication method screen to authenticate using FIDO.
-
With the successful validation using FIDO, the administrator can again configure an adaptive auth journey to use the shared account.
If no auth journey is configured, the user is directly prompted for the shared account selection and the following screen is displayed.If multiple auth journey factors are configured, the user is prompted with the new Shared Account tile followed by other configured factors. The following screen illustrates this scenario:
-
Click Shared Account. The list of shared accounts associated with the user is displayed.