The instructions below are intended for situations where several people have to share one set of primary credentials (username + password) and you want to let them in only when necessary.
Option #1: Individual Authenticators for Every Authorized Person
This approach ensures every person who shares the account has a distinct authenticator, which allows removing a single authenticator without affecting the rest.
1. Add the shared user account to Rublon MFA in one of the following ways:
• Add the user account manually. Make sure the username is the same as the username in your external directory service.
• Synchronize the account from an external directory like Active Directory or Entra ID.
• Ensure Enrollment Type is set to Automatic in the Rublon Admin Console and use the shared account’s primary credentials to sign in to the Rublon-integrated application.
2. Enroll authenticators for this account:
• Send an Enrollment Email to each person who will be using this shared account. Change the Email Address field before each Enrollment Email is sent to ensure everybody receives the email in their mailbox and enrolls their authenticator by opening the link inside the email message.
3. Change the shared account’s status to Denied so that any login attempt stops at the password stage with Access Denied!.
• To grant temporary access, set the status to Active just before the maintenance window, shift, or ad‑hoc session begins. Users log in with the shared username/password and complete MFA with their own registered authenticator.
• As soon as work is finished, switch the account back to Denied. With this approach, you only flip a status flag; no re‑enrollment is required, and logs clearly show who authenticated via which authenticator.
| Status | Effect on login | Typical use |
| Active | Password plus second MFA factor required. | Normal, controlled access period. |
| Denied | All logins are blocked (users see Access Denied!). | The default state when nobody should be able to use the account. |
Option #2: Supervised MFA (Approval‑Based JIT)
Sometimes you want the login to be performed by Operator A while the MFA confirmation must come from Supervisor B:
1. Add the shared user account to Rublon MFA in one of the following ways:
• Add the user account manually. Make sure the username is the same as the username in your external directory service.
• Synchronize the account from an external directory like Active Directory or Entra ID.
• Ensure Enrollment Type is set to Automatic in the Rublon Admin Console and use the shared account’s primary credentials to sign in to the Rublon-integrated application.
2. Enroll authenticators for supervising admins:
• Send an Enrollment Email to each person who will be using this shared account. Enter each person’s email address before sending the Enrollment Email to ensure everybody enrolls their authenticator by opening a link they receive in their mailbox.
3. Hide the Manage Authenticators button by unchecking Let Users Manage Authenticators. After doing that, users will not be able to add new authenticators in the Rublon Prompt.
4. During login:
- The operator enters the shared username and password.
- The operator chooses the supervisor’s registered authenticator.
- The supervisor receives the authentication request and approves it.
Tip: If there is only one supervisor, enable the Default Authentication Method to prompt the supervisor for MFA automatically once the password is correct, reducing the time the Operator spends at the Rublon Prompt.
The following table describes how well each authentication method fits into Supervised MFA.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article