I'm working in an organization where IT is understaffed, and our budget is significantly lower than what you'd find in comparable companies. We have many blue collar employees who share computers and log in using standard usernames and passwords without any multi-factor authentication (MFA), since most of them don't have company phones and are hesitant to use their personal ones. Currently, if someone forgets their password, they have to contact their supervisor, who then has to reach out to us for a reset. This process puts unnecessary strain on the supervisors for something as simple as a password change. Ideally, I'd like to provide phones to all workers, but the budget doesn't allow for that. What are some effective ways I can enhance the security of their logins and simplify the password reset process?
14 Answers
Consider using old mobile phones with authentication apps like Microsoft or Google Authenticator for 2FA. They just need WiFi access, no phone signal required.
Hardware tokens are ideal. If workers only need access at the workplace, you could set up an MFA conditional access policy, excluding on-site IPs for added security.
Implementing YubiKeys is definitely a smart choice. Just keep in mind that they won’t fully handle the password forgetting issue since a PIN is required too, and you can't change that remotely.
So, do you really need them to log into shared computers? What tasks do they perform on them? You might be able to create service accounts for those computers and set them up to log in automatically.
You could buy a bunch of old Android devices, set them up to only run an authentication app, and turn on self-service password reset features. That way, workers can reset their own passwords via MFA without needing IT for every change.
No way! They have to use their own phones for MFA? There’s absolutely no reason they shouldn’t be required to if they have access.
Just a heads up, be cautious if the supervisor has let them set the same passwords. We found out that a lot of domestic workers shared the same password hash in a recent audit... so rolling out YubiKeys may be necessary.
If hardware tokens aren't feasible, could you assign the password reset responsibility to the supervisors? Though, I understand there might be restrictions in place for that.
Either hardware tokens or delegating would work well. Both could be solutions!
Have you thought about Microsoft’s new SMS sign-on for frontline workers? It might be worth a look even though Microsoft tends to overlook the needs for shared PCs.
You might want to look into hardware tokens like YubiKeys. These would allow you to implement MFA without the need for a monthly phone plan.
I was hoping for other solutions. The company previously used an outdated hardware token system and switched all blue collar workers back to passwords. Now, with the new thin clients, if passwords expire, users can’t log in or change them. It’s a total mess!
Totally get that! It's a tough spot when the tech evolves but the budget doesn’t.
What worker's environment is this for? If the computers are in a rugged setting, YubiKeys might not be your best option, as they could get damaged or dirty easily.
Using something like YubiKeys or RSA tokens seems to be the most practical move here.
Right on! Definitely the way to go.
That’s the best route! But unfortunately, there’s a restriction preventing us from delegating that task.