No discussion about securing organizations with a strong passwordless and/or multi-factor authentication (MFA) solution can be complete without considering a very important category of employees – frontline workers. Gartner estimates that worldwide there are 2.7 billion frontline workers – more than twice the number of desk-based employees. And yet, there remains a lack of awareness of issues specific to frontline worker authentication or solutions available to address them effectively. Quite a few organizations have chosen to tackle these difficulties by creating carveouts from MFA requirements when it comes to frontline workers. Needless to say, such an approach puts the entire organization at risk. There are, however, much better alternatives.
Who are Frontline Workers?
Gartner defines frontline workers as follows:
"A frontline worker is an employee that directly produces goods or delivers services. These workers perform their duties in physical locations where they interact with customers or handle essential tasks."
Examples include clinical personnel in healthcare, retail and service associates, first responders and assembly-line workers. Currently, frontline workers make up about 80% of the global workforce and are in high demand among companies. For reasons outlined below, frontline workers often create vulnerable environments in an organization that are particularly prone to cyberattacks.
Common Challenges with Frontline Worker Authentication
Certain aspects of frontline worker environments make their authentication challenging, which may lead to risky carveouts from good practices of phishing-resistant authentication and MFA. Some of these challenges include:
Resistance to or Inability to Use Standard MFA Technologies
- Frontline workers are often unable or unwilling to use their personal phones, thus making phone-based MFA schemes (e.g. OTP or authenticator apps) impossible to implement. Many environments outright prohibit the use of personal phones, such as healthcare facilities, call centers, manufacturing floors, big-box retailer warehouses, etc.
- Some frontline workers may not be technologically savvy and tend to resist advanced authentication tools such as hardware security keys.
- Many frontline workers have to wear special work attire such as gloves, face masks and protective suits, making it a challenging proposition to require them to type a PIN, let alone a complex multi-digit password, or to use biometrics for login (common preconceptions and legal complexities aside).
- Friction associated with implementation and user onboarding for many passwordless and MFA technologies is not well tolerated by most organizations.
Shared Workstations and Shared Accounts
- Shared workstations are very widespread in frontline environments. Good examples are healthcare facilities or manufacturing assembly floors. In case of the former, patient privacy requirements make it necessary for each clinical staff member to log in as themselves, and only get access to their data. Also important is fast and secure logout, or even presence-based logout, to ensure a session is terminated before another user approaches the station. Similar considerations apply to shared devices in manufacturing facilities.
- Aside from shared workstations, there is also the much bigger problem of shared accounts. While such a practice is strongly discouraged and organizations are advised to get rid of shared accounts immediately, the need for them to be specifically tailored to frontline environments has caused them to persist. This need can be born out of high turnover rates of frontline staff, or cost savings associated with purchasing a software application with only one user license and creating a shared account. Employees with shared accounts may not even have a company e-mail address, making user onboarding for many MFA solutions very challenging. It is also very difficult to track and audit the activity of users with a shared account on an individual basis.
Are Passkeys the Solution?
FIDO2 and passkeys have deservedly been receiving a lot of attention, being the most advanced, secure and phishing-resistant authentication technology available today. FIDO2 hardware security keys, especially ones with NFC technology enabling a tap-and-go login experience seem like a good answer to some of the frontline environment use cases. However, serious issues remain unsolved. While some handling of shared workstations is possible with FIDO2 security keys, there are limitations imposed in most commercial platforms (for example, no more than 10 different security keys can be registered in Windows Hello). Synced passkeys have solved the “one user, many devices” problem, but not the “one device, many users” one. And neither passkeys nor hardware security keys have solved the shared account problem. Deployment, lifecycle management and user onboarding for FIDO2 security keys at scale is challenging in large organizations.
rf IDEAS has recently teamed up with IDmelon Technologies to offer the ConvergeIDTM Passwordless Platform, a solution based on FIDO2 that is ideally suited for frontline worker authentication. Via software, a user’s standard physical access card is converted into a FIDO2 security key that can be used for seamless, tap-and-go login to PCs and any application that supports FIDO2. Some frontline workers may not have an e-mail address, some may not be able to use their mobile phone, but if there is one thing that every single worker has, it’s a badge. A powerful administration panel makes user onboarding seamless – workers can be enabled overnight with no action required on their part and with no knowledge whatsoever of FIDO2 technology. Easy onboarding, offboarding, activity auditing, security key management and workflow automation are some of the compelling features of the solution. Security policies can be defined based on a user’s role, geographic location, device, time of day, etc. Shared accounts are handled effectively, since there is no limit on how many security keys can be assigned to a given account – while activity can still be tracked by individual user.
Ready to explore what the ConvergeID™ solution can do for your frontline worker authentication use case? Contact rf IDEAS to set up a demo today.
Schedule a Demo
