Shared workstations need deterministic session transitions, fast handoffs, and clear audit trails tied to the specific user and device state. The design goal is not just successful login, but an unambiguous record of who accessed what, when, and under which binding. Without that, shift-based accountability becomes difficult to prove.
Why This Matters for Security Teams
Shared workstations turn passwordless login from a simple authentication problem into a session integrity problem. On a single device, the hard part is not proving one user once, but proving the boundary between one user’s access and the next user’s access. That changes how device binding, authenticator reuse, and logout semantics must work. NIST’s Cybersecurity Framework 2.0 treats identity and access as part of broader governance, which is the right lens here.
For teams already managing NHI risk, the lesson is familiar: the control objective is traceability, not just convenience. Shared endpoints can blur audit logs, cached credentials, and session tokens in ways that defeat clean accountability. That is especially dangerous where passwordless flows are paired with persistent browser state, roaming profiles, or help-desk assisted handoffs. The operational stakes are well documented in NHI environments, where compromised or overexposed identities often go unnoticed until after abuse has occurred, as noted in NHIMG’s Ultimate Guide to NHIs.
In practice, many security teams encounter weak attribution only after shared-device logout or session cleanup has already failed.
How It Works in Practice
Shared workstations need passwordless design that is explicitly session-aware. The login ceremony should bind the user, the device, and the current workstation state at the moment of authentication, then unwind that binding cleanly at handoff. That means short-lived sessions, strong device posture checks, and deterministic logout behaviour that invalidates cached tokens, passkeys-in-browser, and local application sessions together.
A practical design usually includes three layers. First, the workstation should enforce an identity transition, not just a screen lock, so the next user cannot inherit the previous user’s authenticated context. Second, the identity provider should issue credentials or assertions with narrow lifetime and audience limits, especially if the workstation is used for highly regulated workflows. Third, the audit trail should record the specific user, device, time, and session state so access reviews can distinguish a clean handoff from a silent reuse event.
- Prefer FIDO2 or passkey flows that support fast re-authentication without password reuse.
- Require per-session or per-task revalidation for sensitive actions, not only at initial login.
- Clear browser, OS, and app tokens on logout, not just visual session state.
- Log handoff events with immutable timestamps and device identifiers.
NHIMG research has shown that visibility and lifecycle discipline are often weak across identity programs, with the Top 10 NHI Issues highlighting recurring failures in rotation, offboarding, and access hygiene. For shared workstations, the same discipline applies to human identity sessions: make every transition explicit, short, and reviewable. These controls tend to break down when users rely on persistent kiosk mode, shared browser profiles, or remote app streaming because session artifacts survive the visible logout.
Common Variations and Edge Cases
Tighter passwordless controls often increase friction at shift change, so organisations have to balance fast handoffs against stronger traceability. The right answer depends on whether the workstation is used by a fixed team, a pool of rotating staff, or a kiosk model with minimal local storage.
Current guidance suggests treating these cases differently. In fixed-team environments, a soft handoff with enforced re-authentication may be enough if device state is tightly managed. In pooled or high-risk environments, best practice is evolving toward aggressive session revocation, device posture checks, and local data minimisation. If the workstation supports privileged workflows, combine passwordless login with step-up verification for sensitive actions rather than assuming the initial login is sufficient for the entire shift.
There is no universal standard for this yet, but the common failure modes are predictable: auto-filled credentials, orphaned browser sessions, and incomplete logout from downstream SaaS tools. NHIMG’s 52 NHI Breaches Analysis shows how identity misuse often spreads when one credential or session remains valid longer than expected. Shared workstations create a similar risk pattern for human identities, especially where badge-based access, local caching, and cloud sessions are not revoked together.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Shared workstations need identity-aware access control and session traceability. |
| NIST SP 800-63 | AAL2 | Passwordless login on shared devices must still maintain assurance across session changes. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Short-lived credentials and revocation discipline matter when devices are shared. |
Map each shared-device handoff to explicit authentication, revocation, and logging controls.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 22, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
