Multiple Account Authentication on a Single Device
  • 13 Dec 2024
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Multiple Account Authentication on a Single Device

  • Dark
    Light
  • PDF

Article summary

Authentication is typically one device to one user account; however, that is not always the case. A common scenario is when a user has multiple accounts, such as administrator and regular user, and they choose to authenticate with a single device rather than associate each account type to a unique authenticator.

This setup can be achieved using Certificate-based Authentication (CBA) and Axiad can help issue these certificates to a single authentication device.

Potential Added Risk

Linking multiple accounts to a single device is more convenient to the user and reduces the company’s cost, but it is worth noting that this scenario does pose an additional risk because if a malicious actor gets ahold of the device and is able to successfully authenticate (e.g. by guessing the PIN through social engineering), then they have access to any and all accounts tied to that user’s authentication device.

Axiad User Experience

The login flow for authenticating with a device that has multiple accounts is similar to authenticating with a device tied to a single account.

Windows Login

Windows will recognize that there are multiple accounts, so the user must select the account they want to use. Once selected, then they provide the PIN for their authentication device and they are logged into the machine.

Native Application, e.g. RDP or Run as Administrator

Users can click More choices and Windows will then present them with each of their accounts from which to select.

Browser Authentication

The browser prompt includes an additional step to select the user account before providing the PIN for authentication.

Axiad Setup

Account Provisioning

Axiad will create a credential workflow to define which certificates will be loaded on the device and how the certificates are built.

The content of the certificates identifies the account being used to authenticate. Most applications use one or two certificate extensions to identify which account the certificate represents:

  • The Subject Alternative Name (SAN) extension contains the User Principal Name (UPN)

  • The Object SID extension contains the unique SID representing the account in Active Directory

Axiad Conductor or UCMS must have access to the UPN and / or SID identifiers for the secondary certificate to provision multiple certificates. These details can be retrieved in multiple ways:

  • An attribute must be configured in the directory or IdP to hold the required information

    • For example, the secondary UPN can be added in the info field in AD, and the secondary SID can be added in the ExtentionAttribute1 field

  • The secondary UPN can be constructed on the fly as long as it has a standard structure to it

    • For example: firstname.lastname.admin@domain.com

Certificate and Account Mapping in Active Directory

An alternative way to authenticate different accounts with the same device is through Certificate and Account Mapping, which employs the same certificate to authenticate all the accounts. This can be done using one of two methods:

  • UPN Mapping

    Update the UPN attribute of the secondary user account to match the Subject Alternative Name (SAN) of the certificate​ (i.e., user@domain.com)​

    • This is applicable only if the secondary account(s) is in a separate domain that of the original user account

  • Certificate Serial Number Mapping

    Update the altSecurityIdentities attribute of the secondary user account to match the Serial number of the certificate​


Was this article helpful?


What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.