In manufacturing facilities, it is often common to have shop floor workers use shared logins on a device. If this device contains CUI or export-controlled information, CMMC Requirement AU.L 3.3.2 ( user accountability ) comes into scope and is definitely a big concern – activity needs to be traceable to a specific individual user. So, while it’s technically possible to have multiple people using a shared account, it does create a compliance gap unless there’s a mechanism to track who accessed the system and when.
Using DUO + YubiKeys is probably the cleanest workaround if you need to stick with a shared account in the short term. You’d assign individual tokens to each user, which at least gives you an MFA log tied to a specific person. That’s not perfect from a CMMC perspective, but it gets you closer to traceability than a free-for-all login.
That said, the safest route is creating individual logins, even if they’re broken down by department (e.g., “shop.john,” “shop.mary”) – that way you stay aligned with audit requirements and reduce your exposure during assessment.