Skeleton login

We've got a client-facing site that has tonnes of logins and need ideas for a way to log in to each customer's account. It's all written in-house so a custom implementation is fine.

Previously a skeleton password was being used but if that got leaked somehow it'd allow anyone access to all of out clients' accounts. A one-time pass for two-factor authentication is impractical because we need prompt access to their account but having a unique ID per admin account would be beneficial.
A local instance is also unlikely because we have users that require access that have knowledge of the system but little knowledge of how to set up a local environment. Also, all info is stored on DBs that are not externally accessible. So, logging in to the web portal is the preferred method.
I'd also like to avoid relying on an IP address as we publicise our main office IP so I think that could be spoofed too easily.

Any other ideas?
Is there something similar to an SSH key that could be used for web-based authentication?

Yes, there is such a thing, I cannot recall what it would be called, but it's basically a security certificate.

Also, if it's all in house, why not just create an "impersonation" function so your admin user accounts can just impersonate any given user?

1 Like

Thanks for the recommendation.
The logins are tied to their control panel configuration so I'm not sure if it's feasible to change the login options. You've given me a thought regarding admin accounts though - those could be forced to use two-factor authentication and maybe we could do something like entering the user's login name to change the loaded account details.

I'll pass that along to the team to see what they think.