Floor and warehouse workers vs EntraID ?
Posted by povlhp@reddit | sysadmin | View on Reddit | 39 comments
What are people using for floor and warehouse workers when it comes to EntraID signin ?
Microsoft is offering QR codes (limited lifetime) with a PIN, but there is some logistics aound this. Employees already have a small NFC chip for opening doors etc (Not sure if MIFARE) - But Microsoft does not seem to support NFC except for FIDO.
Employees are using custom apps on Android, and other stuff as well. Thin clients with a remote desktop (usually shared user, and sign-in to individual apps). But main need for MFA is for EntraID SSPR.
What are other companies doing ? We can't demand employees use their own device for anything.
What options are there for cheap NFC capable FIDO2 keys ? We might need 50k devices over time, but likely would want to run a smaller test.
We already use Yubikey FIDO2 for high-priv admins - but they are too expensive for tens of thousand employees. And will be an extra somewhat bulky device on top of
I still see cheap TOTP hardware tokens as an option as well, if cheap enough. But that is not passwordless, but will at least give them a MFA for password reset. Users have very limited access, and only from internal IPs. Our main challenge is that they are now all cloud identities.
JwCS8pjrh3QBWfL@reddit
A- If you have tens of thousands of employees, you are large enough to afford this.
B- Look into their subscription service, rather than purchasing them at face value. You will find that their standard offerings are significantly cheaper, and there are a couple of device types that are locked behind that service that are even more affordable.
povlhp@reddit (OP)
Which vendor are you talking about here ?
JwCS8pjrh3QBWfL@reddit
Yubico
DocDerry@reddit
Conditional Access restricted to those IP's to ignore MFA?
rcdevssecurity@reddit
Synchronize your EntraID users to some more traditional system (our product does to LDAP) and use whatever options this opens. We've had a client thinking about installing GSM antennas in their warehouses and use EAP-SIM over RADIUS. They were at a point where cost became lower than he number of Wifi APs needed. Software-side, FreeRADIUS and whatever product behind it you have can handle the rest.
Jeff-J777@reddit
I am in the process for this now with our warehouse workers. We have a bunch of Honeywell CT47 Android devices. They are all managed with Soti MobiControl, but I just configured Android shared device a few weeks ago.
I looked into the QR code setup but since the PIN has to be 8 digits long and has an expiration date, I just abounded that. The PIN is almost as long as our password requirements so why not just use the password anyways.
I am looking into making a QR code with their email address that they can scan and then just type in their password. We will either stick it to a badge, or use a 3D printer to make the QR code.
But we also limit these accounts with conditional access so they can only login to M365 from our public IP blocks.
povlhp@reddit (OP)
70% of floor workers will leave before the end of the pin. Pin is easier to enter on huge numeric keypad.
But we still have the challenge with the 30% that needs renewal.
patmorgan235@reddit
Maybe some sort of smart card credential doing Certificate Based auth?
povlhp@reddit (OP)
Android mostly. So NFC. Some are thin clients. Some on OT / old windows.
patmorgan235@reddit
There are some dual smart cards and NFC credential cards out there
lart2150@reddit
smart cards (PIV) works with android (usb) and any version of windows that should be talking to entra. yubikey 5 series can act as a smart card. PIV also works well over remote desktop were fido2 only works well over remote desktop for server 2022 and higher.
teriaavibes@reddit
Why can't you do the QR codes? Just slap it on the back of workers badge and call it a day.
BrorBlixen@reddit
Not the OP but there are some short comings to the current QR code system that make it feel like a beta test.
teriaavibes@reddit
Could you list them by any chance? I haven't run into any so interested in what others struggle with.
BrorBlixen@reddit
It lacks bulk operation support on the front end. That's not a problem if you have a few hundred frontline users and a small IT team that can script around it. If you have 40,000 frontline workers and a large IT staff that becomes a processes problem.
chesser45@reddit
Big one right now is the deployment method basically needs to be scripted to be of value.
povlhp@reddit (OP)
Don’t have badges. They have the small keyfob NFC. But I have been thinking of badges as well. But that is different department
teriaavibes@reddit
Just off topic question but if you were to walk up to a warehouse worker, how exactly would you know they are an actual employee and not an intruder if they don't have a badge?
Important_Scene_4295@reddit
Depends on the size of the operation. I worked at a place that had hundreds of factory workers. They issued badges to them but nobody else. My current company has 4 warehouse workers. It would be ridiculous to ask them to wear id badges...
GloveLove21@reddit
You'd be surprised. I am one of 4 IT people, yet I'm required to identify myself and sign in when I travel to other locations, where staff know who I am.
arvidsem@reddit
And it feels kind of ridiculous every time doesn't it?
GloveLove21@reddit
100% of the time, every time. I made the point last time at our HQ, "I have 24 hour access to this building. Who am I supposed to have verify my sign in at 1AM when I come in for a maintenance window."
teriaavibes@reddit
Yea but if the badge also unlocks the doors, I don't really see an extra inconvenience.
Of course, that is not relevant here as they have another solution.
Candid_Ad5642@reddit
Why shared user on the remote desktop?
Why not give them separate logins to that, and use single sign on from there?
On a side note, I f-ing hate those keyfobs. Regular badges will usually work just as well, you don't need to print a full ID on them but you can. But most importantly, you can store a bunch of them in any kind of wallet (so I have one dedicated to these). The keyfobs will be somewhere in the flotsam in the bottom of the bag, thankfully the few I have are in different colours so I can actually tell them apart
povlhp@reddit (OP)
Signon is slow. And they might pick any thing client on the floor. And more desktops = more resources. And more licenses. We have device licenses. Why pay for 10 times as many users ?
GloveLove21@reddit
Would Windows Hello be an option?
chesser45@reddit
Windows hello at scale with shared workstations imo would be a lot of maintenance. Could do pin but it sounds like they have pcs and handhelds/guns so what would really be desirable would be fido2 yubikeys / id cards but I’ve not seen a Fido2 nfc printable id card for less than around $11 each without super bulk “contact us for pricing”.
GloveLove21@reddit
Totally agree that it could be maintenance intensive, but in my opinion would be a good option to at least try a pilot run on. Would save money not having to purchase fido2 keys for each employee.
chesser45@reddit
It’s something I think about trying as well. In a similar situation with the number of frontline positions and we are also looking at trialing QR, waiting on a gun upgrade to support shared login and docked logoff processes.
WHfB been rolling out but not sure about that for frontline yet we are struggling enough with SSPR.
povlhp@reddit (OP)
We have WhfB working for office workers.
Pre-provision mobile phone number from HR system when people get employed. Random password and they do SSPR prior to first login.
In one country all users including floor and warehouse staff gets provisioned with SMS MFA for SSPR as well.
Other European countries people don’t relate to their workplace the same way. They come and do what told and gets the paycheck.
povlhp@reddit (OP)
Most devices are Android and OT devices.
GloveLove21@reddit
Ah yes, I missed that part in your post.
gopal_bdrsuite@reddit
Take a look at Microsoft's built-in QR code and Shared Device Mode capabilities. These are designed specifically for your use case and are likely the most cost-effective and integrated solutions.
adappergentlefolk@reddit
but because the op will be using a relatively obscure feature they’re going to be beta testing it for microsoft, fun
povlhp@reddit (OP)
We are also beta testing intune. Microsoft thinks week long issues are fine
Cormacolinde@reddit
I have some customers in the healthcare industry with similar needs who use Imprivata, I would look into that and similar products.
Bogus1989@reddit
yeah, lmao i refer to them as an enterprise pyramid scheme as a joke, but we have them working with everything. badges work for us but the readers we use can be programmed to work with about anything.
NovelZestyclose1756@reddit
That is a problem, we have something similar, genrerally having many users without companypaid phones are problematic in these days. We bough a bunch of TOTP hardware. We will be using passwords in th future also, and we are on-prem. Hence we use another product, but it aids Self-Service Password Reset and Identity Verification in the Service Desk as well..
povlhp@reddit (OP)
I want to remove servicedesk. Local manager should handle some stuff.