I'm in the real estate industry and we often hire contracted security guards to manage front desks at various locations. Since we sometimes don't know who will show up for a shift until they arrive, it creates challenges with logging into our systems for tasks like unlocking doors or accessing package lockers. We usually rely on shared accounts for them to log in, but that raises security concerns since multiple people end up knowing the same password and we face issues with multi-factor authentication (MFA) prompts when someone else gets a notification. We're considering using a locked device for MFA at the desk, but that still doesn't prevent all staff from knowing the password. Has anyone dealt with a similar situation and found effective solutions? We're working with Windows desktops that require on-prem Active Directory integration, so solutions that don't rely on temporary codes aren't really feasible right now.
6 Answers
One solution is to have all third-party contractors go through an MFA enrollment process and eliminate shared accounts altogether. This creates a more secure environment since only authorized individuals would have access.
It's impractical to screen them all. Most are just there for 8 hours and will be gone by tomorrow.
You might think about using a kiosk for door access instead. This way, you're not relying on individual logins and can secure it better.
Consider moving these exceptions outside your main infrastructure. You could set up a temporary login for them, image the workstation, and restrict access to only what's absolutely necessary. If they need access to 365 services, perhaps use a passwordless system with a token that can be secured with a PIN.
I like that idea! We have something similar with Faronics DeepFreeze, which makes the workstation ephemeral and helps with security.
Identifying necessary applications within 365 could help streamline what needs to be accessible.
From my past experiences in property management, negotiating with the vendor to provide a device for MFA could alleviate some issues. They should be responsible for supplying a means of access, but if they resist that, maybe their employees need a company phone for during their shifts.
That’s a tricky road, especially if it means asking for things they’re not willing to provide.
What happens if the guard can’t log in? Are you prepared for service interruptions if that happens?
This seems more like an organizational issue. If you've got unidentified individuals accessing your systems, that's a major red flag. Ideally, you’d want them to use their own secured systems for logging in. It keeps everything more streamlined and secure.
I get your point but changing policies takes forever, especially when it involves the whole organization. We just need a quick fix for now!
True, but waiting on the perfect solution often makes things worse in the meantime.
You could also look into using a YubiKey for MFA at the desks. Instead of relying on users' phones, which can complicate the process, using a physical token could simplify things significantly.
That's a solid point! Using a YubiKey instead of an iPad could make the whole process less cumbersome.
Definitely safer! It lets you control access without sharing traditional passwords.

But isn't that going to lead to a ton of password reset requests during late hours? This could get messy really fast!