Identity Guardian uses face biometrics and an encrypted barcode to prevent unauthorized users from seeing sensitive business data and help authorized users access that data faster. Here’s how it works.
When you hear that an organization is recovering from a cyberattack or data systems breach, you might assume it was a victim of hackers who are holed up in a dark room halfway around the world. And maybe it was. However, it’s just as likely that the data breach was initiated by someone who was arm’s length away from your front-line workers (and your corporate-owned mobile devices).
Did you know that lost and stolen mobile devices were the leading cause of healthcare data breaches dating back a decade?
It’s true. In 2014, a study found that 68% of security breaches were due to the loss or theft of mobile devices or files, and 48% of data lost was on a laptop, desktop computer, or mobile device. (For comparison, it’s reported that only 23% of the breaches on the Department of Health and Human Services’ “Wall of Shame” at the time were a result of hacking.)
Now, according to the global organizations surveyed for Verizon’s 2022 Mobile Security Index, only 45% reported experiencing a mobile-related data breach in the months prior. While you might consider that an improvement compared to 2014 numbers, the reality is that 73% of those who reported mobile-related breaches described the incident impact as “major.” That’s because it only takes a single breach of a mobile device to wreak havoc on your business.
That’s why you should always be assessing your security measures and closing gaps when possible. The more layers you can add to your technology systems, the less likely you are to be a victim.
With that in mind, I want to let you know about a new security tool you can leverage on your Zebra Android mobile devices. It helps prevent unauthorized parties from accessing your business systems and data while simultaneously making it easier for authorized employees to access systems and data allowed per their individual or role profile.
It’s called Identity Guardian, and it’s a multifactor authentication tool that currently uses face biometrics and a unique encrypted barcode to identify authorized device users (i.e., your employees) and quickly log them into the corporate-owned devices they’re using for work. Watch this:
The beauty of this new authentication method is that your employees don’t have to worry about creating or repeatedly typing in a complex 14-16-character personal identification number (PIN) to access devices they’re sharing with co-workers or even an individually assigned mobile device. They just have to scan a barcode to unlock the device and let the device know who’s trying to log in; then they scan their face to confirm they are really who the barcode says they are. That’s it. Two scans and they’re in. No more inputting PINS or passwords (unless you want to add a third authentication layer). It’s the fastest and simplest way I know to access a company-owned device with personal login, and it’s just like accessing a personal device, so there’s no learning curve for your employees.
Now, I’m sure you want to know more about how Identity Guardian works, what you need to do to get it on your devices, and how this type of device access system compares to other multifactor authentication methods. So, let me answer some questions I’m already receiving from business and IT leaders in our conversations:
Q: You said that device users must scan a barcode first. Is that barcode printed on an employee badge?
The barcode can be printed on a badge, a card, or even a simple piece of paper whatever you prefer. It will need to be always carried by the employee, though, so it will need to be in a hard-copy format.
Q: What happens if the employee loses their barcoded access card or document?
You can generate a new barcode for them. Because the barcode is only the first step in user authentication, it won’t work without the barcode owner also scanning their face (biometric) or entering their unique PIN.
Q: I thought you said a PIN is no longer needed?
Some employees may not want to use their face for authentication purposes. However, you still need a multi-factor authentication method. So, in these cases, an individual PIN can be assigned to each employee as the second authentication factor. Additionally, you may want employees to authenticate via the encrypted barcode, a biometric (i.e., their face), and a third factor in highly secure environments. In these instances, a PIN may be warranted as that third verifier. However, the PIN may not need to be as complex (i.e., 16 digits) since it’s no longer the sole authentication/device access mechanism.
Q: Will the device user need to scan their barcode and face every time their device locks out and they need to get back in?
Most likely, yes. However, we give you the flexibility to set the authentication policy for your fleet of Zebra devices. So, if you want them to use multi-factor authentication upon their first device login of the day but you only need them to scan their barcode for the rest of their shift, that’s your choice. You can tailor Identity Guardian however is best for your organization. You can even customize your authentication policy differently for shared devices as compared to an individually assigned device as depicted below.
Q: What if I don’t want to have to generate a unique barcode for each employee? Is there another authentication factor that could replace the barcode within Identity Guardian?
You could use a PIN plus the biometric scan. We’re also investigating other ways to authenticate users beyond the barcode and face scan that wouldn’t require you to upgrade your mobile device hardware.
However, I want to call out the convenience factor of the barcode scan.
If I’m an employee of yours and I walk into the store, warehouse, hospital, etc. (wherever I work) and grab a device that’s typically shared with other people during the same shift or on alternate shifts, there is no way for that device to know which profile or applications to load. It will only know who I am once I scan that barcode or otherwise attempt to log in to the device with something unique to me (i.e., a personalized PIN or password). Since a barcode scan is way faster than manually typing in a PIN or password, and I don’t have to worry about remembering a PIN or password, as an employee, I would always prefer the barcode scan as the first authentication method versus a personalized PIN or password. This is especially true if the screen locks every few minutes, and I’m constantly having to log back into the device.
Something else to note: The barcode is encrypted with the owner’s unique data. So, you’ll always know who logged into a device (or attempted to log into a device) and how long they were logged in. If a device goes missing or if there’s an issue that needs troubleshooting, you’ll immediately know who to talk to. This level of accountability is not possible with shared PINs or passwords.
Remember, the shared devices in your Zebra device fleet have no memory of any single user. No information regarding past users is stored on those devices. So, if you have 3,000 employees sharing 1,000 devices, the only way a device will recognize the person attempting to log in is if personal authentication methods are being used, such as a quick unique barcode and a biometric scan.
Therefore, the personalized barcode as a first authentication factor holds a lot of value. And, in the future, if we identify other ways to offer similar personalized authentication with the same level of confidence and security, we will update Identity Guardian and let you know about those other options.
Q: If the device is shared among multiple users in a single shift say one nurse grabs another nurse’s device to assist with a patient – how do I know that handoff has occurred?
This is where policy will be needed to guide the handoff actions. Best practice would be that you require each new user to authenticate (so you have that accountability, and they have access to their unique user profile and apps). This is as simple as that barcode scan and biometric (or PIN) authentication. Once a new barcode and face are scanned and the new user is authenticated then the previous user is essentially logged out and loses their access to the device until they scan their own barcode and face again.
However, this automatic profile transition is only possible if the device screen is locked. So, if one nurse hands off her device to another while the screen is still open, the second nurse will need to lock the screen and then authenticate herself. This locked screen rule will need to be communicated via your organization’s policy, so users understand the proper handoff steps, whether mid-shift or between shifts.
Q: You said Identity Guardian can also be used for individually assigned devices too, right?
Yes. Employees with individually assigned devices will benefit from the fast device unlocking experience, as it is akin to unlocking a personal smartphone. Someone with an individually assigned device will set up a profile, which is then saved on their device, and simply scan their face (or put in a PIN if preferred) every time after to unlock the phone. If you want them to use single sign-on (SSO) to access specific systems or data, they would then authenticate as usual via SSO. I believe they will appreciate not having to create, remember, or input a long password or PIN every time they need to unlock their devices. Identity Guardian offers a great combination of easy accessibility along with accountability for data and device security.
Q: Do I need to upgrade any software or functionality on my current Zebra devices to be able to install/use Identity Guardian?
Identity Guardian only works on Zebra devices running Android 11+. So, if anything, you may need to upgrade your operating system. A front-facing camera is also required for face biometric authentication.
Other than that, you just need to download Identity Guardian from the Google Play Store, zebra.com/identity guardian, or your Zebra DNA Cloud console.
Q: If I’m already requiring my employees to use SSO, why do they need Identity Guardian?
SSO allows access to profiles or applications once a user is logged onto a device. However, the user still needs to log on to the device to get to the SSO screen. So, they would use the Identity Guardian tool to log into the device itself. Then, if you want them using SSO to access their role profile or select apps, they would be directed to the SSO screen for further app-specific access.
The nice thing about this two-step authentication process is that you can ensure the user unlocking the device always matches the current SSO user. If it doesn’t, Identity Guardian will force the new device user to enter their credentials for application access.
Q: Does Identity Guardian work with all SSO software?
Identity Guardian currently supports integration of SSO with Microsoft Entra (formerly Azure) and PingID, and other SSO providers will be added in the future. For authenticating users with SSO, we support Microsoft Authenticator and Custom Chrome Tabs to communicate with SSO as the broker. As long as your applications follow SSO standards OAuth 2.0/OIDC and SSO provider guidelines, you are good to go with no changes required for a seamless sign-in experience.
Q. How does Identity Guardian support roles?
Since Identity Guardian can include a user’s role, you can create a unique launcher experience based on different user roles through our Enterprise Home Screen (EHS) application. Administrators can define multiple layouts tailored to specific roles, ensuring a personalized experience upon device login.
Q. Does Identity Guardian support all types of SSO?
It currently supports OAuth 2.0 and OIDC.
Q: Is a license required for all Identity Guardian use cases?
No. There’s an unlicensed (i.e., no-cost) version that gives you the ability to set up personalized PINs, role-based profile access, and barcode expiration dates for temporary workers. You’ll also get Zebra DNA Cloud visibility into all device users, whether they’re sharing devices or using individually assigned devices.
The very low-cost licensed version gives you the added advantages of SSO support for application authentication if you need it as well as face biometric authentication for device access. (This offers added user convenience as compared to using a personalized PIN as the second authentication factor).
Q. Where is device user data stored?
For shared Zebra Android devices, the user data will be stored in an encrypted barcode that the user holds and manages. For individually assigned devices, user data will be encrypted and stored in the Identity Guardian app’s sandbox within the Android framework, which is protected and only accessible by the app.
Q. How do we ensure the barcode encryption is unique?
You can use your own key to encrypt the data, ensuring only your devices can read the barcode data.
Q. What visibility does Zebra DNA Cloud provide into device usage via Identity Guardian?
You will be able to see which users have device access profiles, when they were created, when they were last used and on which device(s) they were used, among other data points.
Q. What APIs are available via the Identity Guardian app?
A notification of new user sign-in as well as the ability to query about who signed into the device and their role are the currently available APIs.
Q. Are device users (i.e., my employees) informed they are opting into biometrics?
Yes, Identity Guardian will provide a Terms and Conditions disclaimer to the user that they must accept to use the biometric portion of the solution.
Q. Can I customize the terms a user agrees to when using Biometric?
Yes, you can include your own custom Terms and Conditions alongside Zebra’s.
This blog is contributed by Zebra Technologies.
