When looking at enterprises and organizations, there are many different business scenarios that can be present when addressing secure authentication. Whether those be shared workstations, remote workers, or even privileged accounts, there is one in particular that introduces its own difficulties: mobile device-restricted workplaces. It’s safe to say that there will always be workplaces which, because of the sensitive nature of the work going on there, will be mobile-restricted in some way. In those spaces, using the phone for anything is not an option – including user authentication before they’re allowed access to sensitive systems or data.
It’s important to remember that “mobile-restricted access” isn’t just referring to the “drop your phone in this secure box” scenario. In most cases, it will involve a lesser form of restriction – for example, you can use your phone in some areas of a building, but not others. What about remote locations where cellular connectivity is not reliable? Or a scenario where you can use your phone for some enterprise apps, but not apps that touch mission-critical functions. All of these environments make mobile authentication difficult or downright impossible.
This post will provide an overview of some of the most common restricted workspaces and address how they can still be protected without the use of a mobile device.
Common mobile device-restricted workplace restricted workplaces
The following types of workplace environments should consider a different user authentication option for strong security without hampering user productivity:
- Call centers – Nearly every phone today comes with a “spy package” consisting of a camera and audio recording capability. Call centers often have Personally Identifiable Information (PII) or other sensitive customer information freely accessible, so mobile devices are often verboten.
- The factory work floor – An industrial workplace might restrict devices for worker safety, environmental restrictions, or there may be sensitive data accessible in that space. Outdoor locations like an oil drilling station might require more rugged devices than your standard mobile phone can handle.
- High-security environments – Any workplace with high authentication assurance levels such as via AAL3 and/or FIPS validated authenticators, where phishing-resistant hardware security keys are required. These are often seen in government agencies and financial services firms. Additionally, administrators’ credentials are highly valued targets so mobile authentication is probably not the best solution because their compromised credentials can cause significant damage.
- R&D labs – It goes without saying that the place where the most sensitive enterprise IP might potentially reside, cannot allow the presence of mobile devices that can easily record video or take a photo, and be extricated with said material. If labs require mobile phones to be left by the door, a smart card or FIDO security key would be more appropriate.
- Remote stations – A weather station, observational data post, offshore drilling, or a research facility that is far from reliable cell service, rendering most devices useless without expensive mitigating infrastructure.
- Airplanes – You’ve probably been there. You have a long flight and can only connect to the Internet through a network that you’re not sure is compliant with your authentication system. Employees who spend a lot of time in the air require an alternative MFA authentication process if mobile won’t work with in-flight systems.
- Areas BYOD-restricted by union or government rules – “Bring Your Own Device” regulations are becoming more common here and in countries around the world. These rules do not allow personal devices to be used for work-related tasks without compensation. If a company is not willing to issue work-only mobile devices, mobile authentication could be off the table.
- Customer-facing environments – Companies, especially in the hospitality and retail industry, strive to have the best in-person experience with their customers. As a result, many restrict the use of mobile phones as it creates a perception that the employee is not fully engaged with the customer.
In addition to the above mobile restriction considerations, it is important to consider the following topics as you deploy phishing-resistant (smartcard or FIDO/WebAuthn-based) MFA for users:
- Adaptable for shared workstations – Often those stations might already be in spaces with physical security controls, but the stations themselves should be supplemented with phishing-resistant authentication for added security. A flexible workstation will allow fast and secure task-switching between users ending and starting their shifts.
- Ruggedized devices that don’t need connectivity – Ruggedized devices can operate in any condition, without cellular connectivity for instance, and secure a range of computers and other endpoints that are capable of both working offline, or on the network.
- Easy user experience (UX) – Don’t forget the users! Before embarking on a solution, take some internal survey feedback to better inform how to make it convenient for real people. An internal rollout team with good communication will make the change management process a little easier. It will also help if the intended solution has intuitive capabilities and self-service options in order to empower the end user and prevent costly post-implementation support costs.
- Ready for complex environments – A solution will look different depending on what is already set up. Organizations with primarily on-premise infrastructure could opt for a smart card-based security approach for example, while those using a primarily cloud-based environment might consider a modern FIDO-based approach.
- Protects your supply chain – The supply chain isn’t just the physical provision of goods and services anymore – it encompasses all of the partnership and business relationships an enterprise might have, including digital ones. Making sure the solution stays ahead of malicious innovation, employing anti-phishing policies or authentication can help prevent ransomware or malware attacks.
- Supports compliance and regulations — Given the recent U.S. federal regulations like 2022’s OMB M-22-09 on Zero Trust, make sure the solution is focused on smart card (PIV) or WebAuthn phishing-resistant MFA technologies which will be essential to meeting compliance regulations.
To learn more about mobile-restricted environments, read the “Best Practices for Securing Mobile-Restricted Environments” white paper.