Skip to main content

Passwordless Login for Shared Account

Overview

1Kosmos has extended its passwordless login capability for shared accounts, which will be available for deployment across shared workstations.

Shared accounts refer to accounts that multiple employees use within an organization. For example, shared accounts in a factory assembly line enable employees to perform specific tasks collaboratively. Other examples include:

  • A shared computer with a legacy common login used by multiple employees.
  • A generic company email account monitored by different employees in rotating shifts.
  • Shop floor computers are set to kiosk mode, allowing different shifts of employees to access them at various times.
  • An online tool or desktop application that restricts access to a single login account.

The problem with shared accounts is that there needs to be visibility into which employee is using the shared account thereby causing a lack of traceability. Also, there is a security risk around sharing credentials for shared accounts. Implementing this shared account feature enhances collaboration, streamlines workflows, and improves efficiency across shared workstations in organizations.

The key features and benefits of the shared account login functionality eliminate the need to manually share credentials.

  • Improved Security – 1Kosmos replaces the manual sharing of passwords for shared accounts with a mechanism that verifies the primary user's identity through biometric authentication. This approach eliminates the risks of password sharing, ensures individual accountability, and safeguards critical operational assets from unauthorized access.
  • Enhanced User Experience – As username passwords are retrieved from a credential vault, manual intervention in maintaining passwords has been eliminated, providing a seamless, user-friendly experience for employees.
  • Comprehensive Auditing and Compliance – Biometric authentication establishes a detailed audit trail, allowing for better tracking of user activity and ensuring compliance with security policies and regulations.

Shared Account Login Workflow

The primary user authenticates themselves using 1Kosmos’ 1Key on a shared workstation, where the user is authenticated using their fingerprint. After successful authentication, the Windows Workstation MFA agent displays the list of shared accounts the user is authorized to access. Once a shared account is selected, its credentials are fetched from the credential vault (currently supported through CyberArk) and the shared account gains access to the workstation.

The following workflow diagram illustrates how the Windows Workstation MFA agent displays the shared account(s) associated with a user.

Managing Shared Account Authorization Table

1Kosmos manages a shared account authorization table that records the accounts authorized for each user. When a user authenticates through the Windows Workstation MFA agent, the system retrieves the relevant shared accounts and displays them on the login screen for quick and secure access.

note

For more information on setting up the mapping agent in your shared workstation, reach out to your 1kosmos customer representative.

Managing Vault Details

The vault connection details need to be configured in the Windows Workstation MFA agent registry on the shared workstation.

Registry Path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{90576E81-DDF8-4E8E-91E2-CA3A9CE52410}

The following table illustrates sample values:

Registry KeyRegistry TypeRegistry Sample Value
VaultUrlREG_SZsample.privilegecloud.cyberark.com
VaultUserREG_SZsvc_account
VaultUserCredentialREG_SZPa$$worD101#

The registry can be updated either through the SCCM / GPO by the organization or via the BlockIDInstaller.bat script using the -configure directive. For more information, see Automatic Installation of the Windows Workstation MFA Agent.

Managing Credentials in the Vault

Organizations manage shared account credentials through their vault that stores them in a centralized encrypted vault. This approach prevents organizations from manually sharing passwords for shared accounts as they are directly retrieved from the server and helps in a smooth login process on the shared workstations.

Authenticating Authorized Shared Accounts

Ensure that the Windows Workstation MFA agent is installed on shared workstations and biometrics are enrolled on 1Key to enable authentication for shared account logins.

To access the shared account, follow these steps:

  1. In the login screen, click the Other User tile and select the BlockID option.
  2. Enter the username and click Submit.
  3. The user will be prompted to insert their 1Key device if it is not already inserted.
    The user will be prompted to provide biometric authentication through their registered finger.
  4. Select the appropriate shared account from the list of authorized shared accounts.
  5. After selecting a shared account, its corresponding credentials are automatically fetched from the vault and submitted to the OS for validation. The user has successfully logged into the workstation through their shared account.

Sample Video

Here is a locally hosted video:

Experience the Demo