The set of rules that define when a user can start, continue, and end access on a device used by multiple people. In healthcare, it must account for handovers, idle time, and explicit sign-out so the next user does not inherit a previous session.
Expanded Definition
Shared-device session lifecycle is the policy layer that determines how authentication, access, and teardown behave on endpoints used by multiple people, such as nurses’ stations, kiosks, tablets, or shift-based workstations. In NHI and IAM practice, it is not just a timeout setting. It includes explicit sign-out, session transfer rules, device lock behaviour, reauthentication triggers, and whether any cached context survives a handover.
Definitions vary across vendors when shared devices also host agentic workflows or background service accounts, but the operational intent is consistent: a session must end cleanly enough that the next user does not inherit the previous user’s privileges, tokens, or data context. This matters especially where clinical urgency encourages fast handoffs and minimal friction. Guidance on lifecycle discipline in NHI Lifecycle Management Guide and OWASP Non-Human Identity Top 10 both reinforce that access must be intentionally started and intentionally terminated, not merely left to inactivity timers. The most common misapplication is treating screen timeout as session termination, which occurs when organisations assume a locked device also clears active credentials and app state.
Examples and Use Cases
Implementing shared-device session lifecycle rigorously often introduces a usability tradeoff, requiring organisations to balance fast clinical or operational handoffs against stronger identity isolation and auditability.
- A ward tablet auto-locks after inactivity, but a nurse must explicitly end the session so the next clinician cannot open the prior patient chart with a remembered token.
- A pharmacy workstation uses step-up reauthentication after each handover, reducing the chance that a cached browser session can be reused by the next shift.
- A manufacturing kiosk clears app state and short-lived credentials on sign-out, preventing inherited access when workers rotate between stations.
- Shared front-desk laptops pair device lock with application logout so identity context does not persist inside EHR, ticketing, or payment applications.
- Control design is often informed by NHI lifecycle and secret-handling lessons in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and by adjacent session guidance in OWASP Non-Human Identity Top 10.
In practice, teams also use a shared-device lifecycle to decide whether local tokens, browser cookies, cached certificates, or device-bound NHI credentials must be wiped during logout, re-image, or shift change.
Why It Matters in NHI Security
Shared-device session lifecycle becomes an NHI security issue whenever a device can preserve credentials, app state, or delegated access across users. On a shared workstation, a stale session can expose not only human identity data but also service accounts, API keys, or embedded automation credentials that are reachable through the same interface. That is why session teardown belongs alongside lifecycle control, secret hygiene, and rotation discipline in Top 10 NHI Issues and the Guide to the Secret Sprawl Challenge.
The risk is not theoretical. NHIMG research reports that 79% of organisations have experienced secrets leaks, with 77% of those incidents resulting in tangible damage, and 44% of NHI tokens are exposed in the wild through tools like Teams, Jira, Confluence, and code commits. A shared device that fails to end sessions cleanly can become the local amplifier for the same exposure pattern. Practitioners should also align lifecycle controls with the service-account and access-persistence concerns described in The Ultimate Guide to NHIs and the lifecycle discipline in NHI Lifecycle Management Guide. Organisations typically encounter this failure only after a misdirected access event or a privacy incident, at which point shared-device session lifecycle becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-06 | Covers session, token, and lifecycle risks for shared and reused identities. |
| NIST CSF 2.0 | PR.AA | Access authentication and authorization must reflect device-sharing and session continuity risk. |
| NIST Zero Trust (SP 800-207) | SP 3 | Zero Trust requires continuous verification rather than trusting a previously opened device session. |
End sessions explicitly, clear cached credentials, and verify handoff controls on shared devices.
