Subset of users tied to specific machine/browser?

I’m using 16.0.1 for Nextcloud, but I need a way to authenticate a subset of my users to a specific PC and specific web browser. We have to use some shared accounts where there is high personnel turnover and we can’t be changing passwords every time someone new comes and goes, and we don’t want these shared accounts to be used from these users homes or mobile devices. So we need to use user certs or any other method that will allow browser access to a specific user account without having to type a username and password but keep it boxed in to a single physical location and browser. I don’t mind a password being there, it just cannot be the ONLY authentication mechanism so that I can keep users on a specific PC.

Any ideas on how I can accomplish this?