diff --git a/src/Admin/Startup.cs b/src/Admin/Startup.cs
index 36623a8aa7..6248da8da6 100644
--- a/src/Admin/Startup.cs
+++ b/src/Admin/Startup.cs
@@ -5,6 +5,7 @@ using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.HttpOverrides;
+using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
@@ -48,6 +49,10 @@ namespace Bit.Admin
 
             // Identity
             services.AddPasswordlessIdentityServices<ReadOnlyEnvIdentityUserStore>(globalSettings);
+            services.Configure<SecurityStampValidatorOptions>(options =>
+            {
+                options.ValidationInterval = TimeSpan.FromMinutes(5);
+            });
             if(globalSettings.SelfHosted)
             {
                 services.ConfigureApplicationCookie(options =>
diff --git a/src/Core/Identity/ReadOnlyEnvIdentityUserStore.cs b/src/Core/Identity/ReadOnlyEnvIdentityUserStore.cs
index f5586f6b8a..827c657ac4 100644
--- a/src/Core/Identity/ReadOnlyEnvIdentityUserStore.cs
+++ b/src/Core/Identity/ReadOnlyEnvIdentityUserStore.cs
@@ -1,4 +1,4 @@
-using System.Linq;
+using System.Collections.Generic;
 using System.Threading;
 using System.Threading.Tasks;
 using Bit.Core.Utilities;
@@ -26,22 +26,38 @@ namespace Bit.Core.Identity
             }
 
             var users = usersCsv.ToLowerInvariant().Split(',');
-            var user = users.Where(a => a.Trim() == normalizedEmail).FirstOrDefault();
-            if(user == null || !user.Contains("@"))
+            var usersDict = new Dictionary<string, string>();
+            foreach(var u in users)
+            {
+                var parts = u.Split(':');
+                if(parts.Length == 2)
+                {
+                    var email = parts[0].Trim();
+                    var stamp = parts[1].Trim();
+                    usersDict.Add(email, stamp);
+                }
+                else
+                {
+                    var email = parts[0].Trim();
+                    usersDict.Add(email, email);
+                }
+            }
+
+            var userStamp = usersDict.ContainsKey(normalizedEmail) ? usersDict[normalizedEmail] : null;
+            if(userStamp == null)
             {
                 return Task.FromResult<IdentityUser>(null);
             }
-
-            user = user.Trim();
+            
             return Task.FromResult(new IdentityUser
             {
-                Id = user,
-                Email = user,
-                NormalizedEmail = user,
+                Id = normalizedEmail,
+                Email = normalizedEmail,
+                NormalizedEmail = normalizedEmail,
                 EmailConfirmed = true,
-                UserName = user,
-                NormalizedUserName = user,
-                SecurityStamp = user
+                UserName = normalizedEmail,
+                NormalizedUserName = normalizedEmail,
+                SecurityStamp = userStamp
             });
         }