Group Account Security

Shared Account Authentication.

Add MFA to shared accounts without sharing authentication devices. Ensure full accountability for every login.

Concept

One account, multiple authenticators.

Add multi-factor authentication to shared VPN and remote access accounts, while maintaining individual accountability. Multiple team members share the same login credentials, but each person authenticates with their own phone or hardware token. The audit log shows exactly whose device was used for each login.

How it changes traditional MFA

Traditional MFA ties one phone or token to one account. Shared Account Authentication links multiple phones and tokens to a single account. When logging in via RADIUS, the user is prompted to enter their phone number or token ID. Mideye validates it belongs to the account and sends the MFA challenge to that specific device. The selection is securely recorded in the audit log.

Use cases

When should you use shared account MFA?

Vendor & MSP Access

External vendors sharing a single VPN account for remote maintenance. Each vendor employee uses their own phone to authenticate. See exactly who connected for supply chain accountability.

Admin VPN Accounts

IT teams sharing a privileged VPN or remote access account. Each admin authenticates with their personal device. Full audit trail for compliance frameworks like NIS2 and DORA.

Shift Work Access

Operations teams sharing a single account across shifts. Each operator uses their own token or phone. The audit log shows who was on shift and when they connected.

Shared Linux Accounts

Shared root or service accounts on Linux servers authenticated via PAM RADIUS. Each person identifies themselves with their own phone or token before access is granted.

How it works

From login to access.

1

Login

The user enters the shared password via RADIUS on any compatible system (VPN, firewall, gateway).

2

Identify

Mideye prompts the user to enter their specific mobile phone or token number.

3

Authenticate

Mideye validates the device belongs to the account and sends a push notification or requests a token OTP from that device.

Methods

Supported authentication methods.

Mideye+ Push

Users can approve the login request directly on their selected smartphone using the Mideye+ app.

Hardware Token

Users can enter the TOTP generated from their personal hardware token (like a YubiKey or HID token).

Security

How it improves security.

  • Individual accountability: The audit log shows exactly which phone or token was used, not just the shared account name.
  • No shared secrets: Each person uses their own device. No shared phones, tokens, or OTPs.
  • Device registration: Only pre-registered phones and tokens can authenticate. Arbitrary devices are rejected.
  • Easy offboarding: Remove a team member's phone from the list when they leave. No password changes needed.
  • Compliance ready: The per-person audit trail helps meet access logging requirements in security frameworks.

Compliance

Regulatory requirements addressed.

Shared Account Authentication addresses regulatory requirements for privileged access management and least privilege.

DORA RTS Article 21

Requirement: "Assignment of privileged access on a need-to-use or an ad-hoc basis."

Solution: Time-based access windows combined with per-person MFA ensure privileged accounts are only accessible during approved windows with no standing privileges.

DORA RTS on ICT risk management →

ISO/IEC 27001:2022

Requirement: Access control policies (A.5.15) and privileged access rights management (A.5.18).

Solution: Provides individual accountability on privileged accounts. Audit logs show exactly who accessed the shared account and when.

NIS2 & PCI DSS

Requirement: Shared accounts are discouraged, but must have individual accountability when used.

Solution: Per-person MFA on shared credentials provides the audit trail required to identify who performed which action.

NIS2 Directive → PCI DSS →

Best practice: Prefer individual accounts over shared accounts whenever possible. When shared accounts are operationally necessary (appliances, legacy systems, vendor access), Shared Account Authentication provides the individual accountability layer required by compliance frameworks.

These are requirements our customers address using Mideye's controls as part of their own certification and compliance programs. See the full compliance mapping.

Add MFA to Your Shared Accounts

Shared Account Authentication is included with Mideye Server 5.6 and later. Contact us to discuss your shared account security requirements.