I have a client in the healthcare sector looking for a secure yet user-friendly authentication solution. Their team frequently shifts between different workstations while wearing gloves and masks, so we need something efficient. Although we're familiar with Windows Hello for Business, Entra, and Active Directory in a hybrid setup, we lack experience with physical key-style logins.
Here's what we're aiming for:
- Each user will have a security card they can wear on a retractable lanyard.
- Users can tap their card on a card reader at the workstation to initiate the login process.
- If it's the user's first time logging into that workstation, they will be guided to create a Windows Hello PIN.
- For returning users, they only need to enter their existing Windows Hello PIN.
- From there, seamless Single Sign-On (SSO) and Conditional Access policies will take over.
- To log off, users just need to tap their card again.
- If a different user taps their card while another is logged in, the current session will end, and the new user will begin the login process.
Additional details:
- We have over 50 users and more than 100 workstations spread across two sites.
- Using Yubikeys seems impractical because they could easily be lost or left behind. Also, USB ports may not be easily accessible due to space constraints around the workstations.
- While native Windows Hello and Windows 11 login could work, we are trying to decrease login fatigue since users log in and out frequently. We'd like to limit credential typing to just Windows Hello PINs.
Has anyone implemented similar solutions? I'm interested in hardware options (like RFID, NFC, Bluetooth, or cards) and best practices for IT administration regarding card and user provisioning. Any advice would be greatly appreciated!
3 Answers
Since you mentioned you have on-premise Active Directory, that's crucial. There are specific limitations on how many users can be enrolled on a single device with Windows Hello for Business due to TPM restrictions. Keep that in mind when planning your rollout!
It sounds like you have a solid plan in place! We deployed Imprivata in a similar healthcare environment, and it's been fantastic for managing Windows logins with on-prem Active Directory. Just keep in mind to carefully evaluate how it integrates with other systems you may be using. Imprivata is highly regarded in medical settings for a reason!
Considering your organization’s scale, I would suggest looking into configuring Yubikeys for smart card authentication if you can minimize the issues you noted. They can be very secure compared to some alternatives, even if they're a bit tricky to manage. Plus, they can help streamline user authentication across devices!
That's a good point. User training would be key to address the Yubikey loss issue. Maybe if you offer keychains or proper storage for them, it might help!
Yeah, I've seen Imprivata solve a lot of issues with logins at hospitals. Just be sure it fits with your current tech stack before diving in!