I'm curious about what tools companies are using for signing in floor and warehouse workers with EntraID. Microsoft has QR codes paired with a PIN, but there are some logistics to consider. Employees already have a small NFC chip for door access, but it seems Microsoft only supports NFC with FIDO. Currently, employees are using various custom Android apps and thin clients for remote desktops. The main requirement here is multi-factor authentication (MFA) for EntraID self-service password reset (SSPR). We want to know what other companies are implementing, especially since we can't mandate employees use personal devices. Are there affordable NFC-enabled FIDO2 keys available? We're projecting a need for about 50,000 devices but might start with a smaller test. We've been using Yubikey FIDO2 for admin staff, but those are too pricey for a large workforce, and it adds extra devices. I also see cheap TOTP hardware tokens as a potential option; they might help with MFA for password resets, but they aren't passwordless. The access for these users is quite limited, mostly from internal IPs, and the main issue is managing cloud identities.
5 Answers
Some clients in healthcare use Imprivata for similar sign-in needs. It might be worth exploring that or similar solutions.
Have you considered Windows Hello? Could be a good option, but it might have maintenance challenges at scale since you have shared workstations.
Windows Hello sounds nice, but managing it across shared devices could lead to a lot of upkeep. A FIDO2 solution might be better, although I haven't found printable NFC ID cards for less than $11 each, and most vendors say to contact them for bulk prices.
Why not just go for QR codes? You could easily attach them to workers' badges.
Not the OP, but the current QR code setup has some limitations that make it feel not quite ready for widespread use.
They don’t use badges; just keyfob NFCs for access. Badges could be an option in the future, though!
It’s tough dealing with lots of users without company-paid phones nowadays. We bought TOTP hardware tokens for added security since we’re still on-prem. They help with password resets and identity verification at our Service Desk.
I want to move away from using the Service Desk altogether; local managers should really handle those issues.
Check out Microsoft’s built-in QR code and Shared Device Mode features; they seem tailored for your scenario and could be cost-effective and easy to integrate.
But if the OP is using an obscure feature, they're probably going to be beta testing for Microsoft, which could be... fun.
Haha, I call it an enterprise pyramid scheme jokingly, but it actually works well for us. Our readers can handle various setups.