Mideye+ Push
Users can approve the login request directly on their selected smartphone using the Mideye+ app.
Add MFA to shared accounts without sharing authentication devices. Ensure full accountability for every login.
Concept
Add multi-factor authentication to shared VPN and remote access accounts, while maintaining individual accountability. Multiple team members share the same login credentials, but each person authenticates with their own phone or hardware token. The audit log shows exactly whose device was used for each login.
Traditional MFA ties one phone or token to one account. Shared Account Authentication links multiple phones and tokens to a single account. When logging in via RADIUS, the user is prompted to enter their phone number or token ID. Mideye validates it belongs to the account and sends the MFA challenge to that specific device. The selection is securely recorded in the audit log.
Use cases
External vendors sharing a single VPN account for remote maintenance. Each vendor employee uses their own phone to authenticate. See exactly who connected for supply chain accountability.
IT teams sharing a privileged VPN or remote access account. Each admin authenticates with their personal device. Full audit trail for compliance frameworks like NIS2 and DORA.
Operations teams sharing a single account across shifts. Each operator uses their own token or phone. The audit log shows who was on shift and when they connected.
Shared root or service accounts on Linux servers authenticated via PAM RADIUS. Each person identifies themselves with their own phone or token before access is granted.
How it works
The user enters the shared password via RADIUS on any compatible system (VPN, firewall, gateway).
Mideye prompts the user to enter their specific mobile phone or token number.
Mideye validates the device belongs to the account and sends a push notification or requests a token OTP from that device.
Methods
Users can approve the login request directly on their selected smartphone using the Mideye+ app.
Users can enter the TOTP generated from their personal hardware token (like a YubiKey or HID token).
Security
Compliance
Shared Account Authentication addresses regulatory requirements for privileged access management and least privilege.
Requirement: "Assignment of privileged access on a need-to-use or an ad-hoc basis."
Solution: Time-based access windows combined with per-person MFA ensure privileged accounts are only accessible during approved windows with no standing privileges.
Requirement: Access control policies (A.5.15) and privileged access rights management (A.5.18).
Solution: Provides individual accountability on privileged accounts. Audit logs show exactly who accessed the shared account and when.
Requirement: Shared accounts are discouraged, but must have individual accountability when used.
Solution: Per-person MFA on shared credentials provides the audit trail required to identify who performed which action.
Best practice: Prefer individual accounts over shared accounts whenever possible. When shared accounts are operationally necessary (appliances, legacy systems, vendor access), Shared Account Authentication provides the individual accountability layer required by compliance frameworks.
These are requirements our customers address using Mideye's controls as part of their own certification and compliance programs. See the full compliance mapping.
Shared Account Authentication is included with Mideye Server 5.6 and later. Contact us to discuss your shared account security requirements.
We use cookies and analytics to improve your experience and understand how our site is used. Privacy Policy