Hey everyone! I'm looking for some advice on improving the security of laptops in my corporate office. Currently, we use BitLocker with a pre-boot password, then log in with a regular Windows password. We also use Intune for management, and our new laptops will come equipped with Face ID. Our setup includes both Windows and MacBook systems. I'm interested in integrating YubiKey for added security, but I'm struggling with how to create a passwordless experience. Ideally, I want to have the following security flow: after the BitLocker password, I would insert the YubiKey on the lock screen for authentication with Windows Hello for Business (WHFB) or a 2FA code. We're a high-security organization, so I want to adopt a secure login process that isn't overly cumbersome. Also, I would prefer to avoid YubiKeys with fingerprints because of their cost. Any suggestions would be awesome!
2 Answers
If you're looking for high security, you might want to consider using a Virtual Desktop Infrastructure (VDI). A well-implemented VDI can provide top-notch security since it essentially minimizes the risk associated with stolen devices. With VDI, your data stays on the server, and even if a laptop gets stolen, the impact is minimized. Just be careful with the user experience—adding too many steps to login might frustrate your team.
While VDI is an interesting solution, ensuring practicality for a large user base could be challenging. Have you considered a more physical option like integrating DUO for MFA alongside a secure key like YubiKey? It might give you the added layer you need without going down the VDI route.
Have you thought about a behavior-based security system? Essentially, you can monitor workstations to create a baseline of normal behavior, then implement a 2FA challenge when something unusual happens. This balances security with user experience pretty well since it assesses risk dynamically.
I see your point, but keep in mind that users who might be offline would struggle with VDI access. Plus, if you've invested in new laptops, it sounds like you'd prefer to keep them as the primary systems. Is there any physical security measure that could work better for your team?