The Shared Authenticators feature allows user A to authenticate to user B’s account by using the authenticators of user B (which is shared to A).
The authenticators that can be shared are: TOTP, HOTP, Password, Fingerprint, Card, and FIDO U2F.
Bob is the manager of Alice and he is away on a holiday. He has enabled shared authenticator so that Alice can check his emails in his absence. Alice is required to verify an important email that can provide good revenue for the company. Alice can use the shared authenticators feature to access the account of Bob by using her own authenticators.
To share the authenticators of Alice with Bob, perform the following steps:
Log in to the Helpdesk portal with your Helpdesk administrator credentials.
In the User to manage screen, specify the user name as Bob.
Click the Linked Authenticators tab on the screen.
Specify the user name whose authenticator can be used as shared authenticator. If you want to use Alice’s fingerprint to authenticate to the account of Bob, specify the name as Alice-Fingerprint.
Alice will now be able to authenticate to the account of Bob by using her own fingerprint.
A Full admin can prevent the use of shared authenticators for some events.
The boss Bob must have a chain with the LDAP Password method assigned to the Windows logon, Linux logon, or Mac OS logon event. Bob must authenticate at least once to have the LDAP Password cached on the workstation (for Windows, Linux, or Mac OS Clients).
After the Alice’s fingerprint authenticator is linked to Bob’s account, Alice must perform the following steps to get authenticated to Bob’s account:
Secretary Alice specifies the username of her boss Bob.
Alice uses her authenticator to authenticate to the account of Bob.