Shared devices create a handoff problem. The device may remain the same while the user changes, so access controls must re-check identity, device state, and session context each time the device is reused. Without that, the VPN only proves connectivity, not who is actually operating the phone.
Why This Matters for Security Teams
Shared devices change mobile access governance because the device can no longer be treated as a stable proxy for the user. A phone in a field team, frontline shift, or kiosk model may be trusted by posture checks while the actual operator changes multiple times a day. That creates a handoff risk: the session, cached token, or VPN tunnel can outlive the person who originally unlocked the device.
Current guidance suggests treating reuse as a fresh access event, not a continuation of the prior user session. That means re-evaluating identity, device state, and session context at every handoff, rather than relying on enrollment alone. This aligns with the broader access and lifecycle concerns described in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and the control emphasis in the NIST Cybersecurity Framework 2.0.
NHIMG research shows why this mindset matters: in the State of Non-Human Identity Security, only 1.5 out of 10 organisations were highly confident in securing NHIs, underscoring how often identity assumptions break down when access is shared, reused, or poorly observed. In practice, many security teams encounter misuse only after a reused device has already carried a stale session into a sensitive app.
How It Works in Practice
Shared-device governance works best when the device is treated as one signal among several, not the decisive trust factor. Mobile access policies should combine user authentication, device posture, location or network context, and session risk so the system can decide whether a reused device should receive a full session, a step-up challenge, or no access at all.
A practical model usually includes:
- Short-lived sessions that expire quickly after inactivity or task completion.
- Re-authentication on unlock, app launch, or return from an unmanaged state.
- Device attestation and compliance checks before sensitive apps accept the session.
- Separate profiles or containers so one user’s app data does not bleed into the next user’s access path.
- Central logging that records handoff events, not just login events.
The policy logic should follow the principles in OWASP Non-Human Identity Top 10 and the identity lifecycle controls discussed in 52 NHI Breaches Analysis, because the real issue is not the phone itself but what credentials, tokens, and cached trust remain available after the previous operator leaves. Mobile VPNs, SSO sessions, and app refresh tokens must be re-bound to the current user context, not assumed valid because the hardware is unchanged. These controls tend to break down in shift-based operations with kiosk-style logins because the access stack often preserves app state longer than the organisation preserves user accountability.
Common Variations and Edge Cases
Tighter shared-device control often increases operational friction, requiring organisations to balance security against login speed, user convenience, and offline resilience. That tradeoff is especially visible in healthcare, retail, logistics, and manufacturing, where staff may need fast turnover between operators and inconsistent connectivity can interrupt repeated checks.
There is no universal standard for this yet, but current guidance suggests the safest pattern is to minimise standing trust on the device and maximise per-session verification. For highly regulated workflows, a dedicated managed app or browser container can be safer than a full-device trust model. For lower-risk tasks, a risk-based approach may allow limited reuse if the device is compliant and the session is tightly scoped.
Two edge cases matter most. First, if shared devices are used offline and then reconnect, stale access may resurface without a fresh policy evaluation. Second, if biometric unlock is treated as equivalent to enterprise authentication, the organisation may confuse local convenience with identity assurance. The Ultimate Guide to NHIs — Key Challenges and Risks is useful here because it reinforces a core lesson: trust must expire faster than the device does.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Shared-device access needs continuous identity assurance at each handoff. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Stale sessions and reusable tokens on shared devices mirror credential lifecycle risk. |
| NIST AI RMF | Risk-based access decisions should account for changing context at handoff. |
Apply runtime risk evaluation so shared-device access is approved only with current context.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
