Skip to content
Cyber Replay logo CYBERREPLAY.COM
Book a Call
Back to all articles
Security Operations 14 min read Published Mar 28, 2026 Updated Mar 28, 2026

Opinion: Replace Passwords on Shared Devices - Passkeys & Kiosk MFA for Nursing Homes

Practical fast-implementation guide to replace passwords on shared devices in nursing homes with passkeys and kiosk MFA to cut credential theft and speed w

By CyberReplay Security Team

TL;DR: Replacing passwords on shared-device terminals in nursing homes with passkeys and kiosk MFA cuts credential-based compromise risk dramatically, reduces handoff authentication time by minutes per shift, and is implementable in 2-8 weeks using existing device management and passwordless providers. Focus on resident privacy, simple UI, and an MDR-ready incident plan.

Table of contents

Quick answer

Use passwordless authentication (passkeys / FIDO2) for individual staff identities and deploy kiosk-mode MFA for public or shared terminals used by staff and visitors. For shared device MFA nursing home deployments, pair device-managed session isolation with an MDR/MSSP monitoring contract to maintain SLA-level detection and response. This approach reduces credential-phishing and password-reuse attacks, lowers average authentication time per session, and makes for a measurable security uplift in 30-60 days.

When to prioritize this now:

  • If your facility uses shared terminals to access EHRs, medication systems, or billing systems that contain PHI.
  • If staff regularly post or reuse credentials for shared kiosks, or if sticky-note credentials are visible in care areas.
  • If password-reset tickets account for a significant portion of helpdesk volume during shift changes.
  • If you do not currently have session-level telemetry for shared terminals or they are not under MDR coverage.

If one or more of the above apply, move this from pilot to prioritized remediation within 30 days. For immediate next steps, schedule a short scoping call or request a focused shared-device assessment to map risk and triage remediation.

Why this matters to nursing homes

Nursing homes operate many shared devices - medication carts, nurse station workstations, check-in kiosks, tablets for clinical documentation, and family-access terminals. These devices are high-value targets because they provide access to protected health information, medication systems, and administrative controls.

The cost of inaction is concrete:

  • A single credential compromise can expose EPHI and trigger HIPAA fines, patient notification, and forensic costs that range from tens to hundreds of thousands of dollars. See HHS for HIPAA breach guidance. (Reference in the References section.)
  • Manual password entry and frequent password resets cost staff time. Example calculation: 30 staff authenticate 8 times per shift; saving 45 seconds per auth saves 30 hours per week. That is billable time returned to care.
  • Shared-device passwords are frequently reused or posted on sticky notes, increasing lateral movement risk.

This guide is for nursing home IT leaders, compliance officers, and operators who must improve security quickly without disrupting care workflows. It is not a high-level theory piece - it is a hands-on implementation and decision guide.

For a rapid security assessment or to align this with your MDR program, consider an evaluation from a managed security provider like CyberReplay - cybersecurity services and evaluate managed detection and response offerings at CyberReplay MDR.

Definitions you need

  • Passkey: A user-friendly term for a FIDO2/WebAuthn credential that replaces passwords with a cryptographic key pair stored on a device or cloud credential store. Passkeys are phishing resistant and designed for fast, secure logins. See FIDO Alliance in References.

  • Kiosk MFA: Multi-factor authentication flow adapted for shared or public terminals where each session must authenticate a person without leaving persistent credentials on the device. Kiosk MFA typically uses one-time codes, short-lived passkeys, or external device authentication (phone biometrics) to establish a transient session.

  • Shared device MFA nursing home: The operational problem space of applying MFA to devices that multiple people use during a day in a nursing home environment without creating user friction or persisting credentials on-device.

  • When this matters: Situations and triggers that raise the priority of a shared-device MFA project. See the dedicated section “When this matters” for concrete scenarios and quick next-step links.

High-level control framework

Use this three-layer framework:

  1. Device hardening and session isolation - Ensure the device cannot retain credentials between sessions and that user profiles are ephemeral.
  2. Passwordless plus phishing-resistant MFA - Prefer passkeys/FIDO2 for staff where available, and kiosk MFA flows for devices that cannot store keys.
  3. Monitoring and incident response - Place these devices under endpoint telemetry and forward alerts to an MSSP/MDR team for 24-7 triage.

Each layer maps to measurable outcomes:

  • Device hardening lowers persistence attacks by 80-99% for local credential theft.
  • Passkeys remove phishing and replay attack vectors as documented by FIDO and CISA guidance.
  • MDR reduces mean time to detect and respond - aim to lower MTTD/MTTR by 50% within the first 90 days of monitoring onboard.

Implementation checklist - what to do first

  • Inventory: Identify every shared terminal type, OS, and business function. Include the following fields: device id, purpose, OS, management system (MDM), network zone, and EMR access. Target: complete within 5 business days.

  • Risk classification: Mark devices as high risk if they access EHR, medication systems, or financial systems. Use risk flags to prioritize rollout.

  • Policy decisions: Decide whether devices will support local passkeys, require visitor kiosk MFA, or both.

  • Vendor alignment: Choose a passwordless provider that supports FIDO2 and integrates with your SSO or IdP. Confirm that your IdP supports passkeys and conditional access.

  • Monitoring plan: Ensure EDR/telemetry agents are compatible with kiosk-mode and will forward session start/stop events to your MDR.

Checklist summary:

  • Inventory complete
  • High-risk devices tagged
  • IdP/passkey vendor selected
  • Kiosk session workflow designed
  • MDR/MSSP monitoring configured

Step-by-step deployment plan (fast path)

Each step includes time estimates and clear decision points.

  1. Pilot selection - 1 week
  • Pick 3 device types: nurse station workstation, medication cart tablet, visitor check-in kiosk.
  • Pick 10-20 users for staff pilot. Include staff that are typical shift change users.
  1. Configure IdP and passwordless - 1-2 weeks
  • Enable passkeys for staff accounts in your identity provider. Test sign-up and sign-in flows.
  • If using cloud passkeys, confirm cross-device sync options for staff who rotate devices.
  1. Set up kiosk MFA flow - 1 week
  • Configure kiosk mode to restrict local storage and require each session to complete a short external authentication flow (QR + phone biometrics or short-lived passkey).
  • Provide fallback: one-time codes issued via SMS as fallbacks only if policy allows. Prefer not to use SMS where PHI is at stake.
  1. Device hardening and MDM profiles - 1 week
  • Push MDM policies to clear session data on logout and to disable local account creation.
  • Configure application whitelisting for clinical apps and lock the browser to kiosk URL.
  1. Monitoring and incident response tie-in - 1 week
  • Configure EDR to send session events and suspicious activity to the MDR queue. Create playbooks for credential misuse and device compromise.
  1. Train and roll - 1-2 weeks
  • Short 15-30 minute sessions for staff showing the new login flow. Provide printed pocket guides and quick-reference QR cards.
  1. Measure and scale - ongoing
  • Track authentication time, helpdesk calls for password resets, and security incidents. Target first-month metrics: 60-80% reduction in password resets for pilot users and 30-50% fewer helpdesk auth tickets.

Total fast-path timeline: 2-8 weeks depending on IdP integrations, device diversity, and vendor support.

Kiosk MFA architecture example

Below is a pragmatic architecture that works for most nursing homes.

  • Identity Provider (IdP): supports WebAuthn and passkeys.
  • Passkey store: device-bound or cloud-synced passkeys for staff.
  • Kiosk frontend: locked browser or native app that presents a QR code at session start.
  • Authenticator: staff phone or hardware key that completes a WebAuthn assertion.
  • Session manager: server issues a short-lived session token tied to device id and user id. Token expires after idle timeout.
  • Monitoring: EDR/telemetry logs session start/stop, unusual login location, and multiple failed assertions.

Sequence at sign-in for kiosk with QR flow:

  1. User taps “Start Session” on kiosk.
  2. Kiosk displays a rotating QR code with ephemeral nonce.
  3. Staff scans QR with authenticating app on phone or uses a hardware authenticator plugged into phone or USB.
  4. Authenticator performs WebAuthn assertion to IdP and IdP responds with short-lived session token.
  5. Kiosk receives token and unlocks session for the assigned user. On logout or timeout, kiosk performs a secure wipe of session data.

This pattern preserves zero-knowledge of passwords on the device and ties the session to the staff identity.

Operational runbook snippets and scripts

Below are practical snippets you can adapt. Always test in a lab before production.

Example: Chrome kiosk start (Linux) with ephemeral profile - launches kiosk in single-app mode and removes profile on exit.

#!/bin/bash
PROFILE_DIR="/tmp/chrome-kiosk-$$"
mkdir -p "$PROFILE_DIR"
/usr/bin/google-chrome --kiosk --no-first-run --user-data-dir="$PROFILE_DIR" "https://kiosk.yourdomain.local"
# On exit, remove profile
rm -rf "$PROFILE_DIR"

Example: Intune JSON snippet - device configuration to clear local state at sign-out (pseudocode). Adapt to your MDM format.

{
  "kioskMode": "singleApp",
  "clearLocalStateOnSignOut": true,
  "allowedApps": ["com.your.emr.app"],
  "sessionTimeoutMinutes": 15
}

Example: Server-side WebAuthn registration request (pseudocode) - returns challenge for client to register passkey.

// Pseudocode
app.post('/webauthn/register/start', (req, res) => {
  const challenge = generateRandomChallenge();
  saveChallengeForUser(req.user.id, challenge);
  res.json({ challenge, rp: { name: 'Your Facility' }, user: { id: req.user.id, name: req.user.email } });
});

Note: Use established libraries for WebAuthn (node-fido2-lib, webauthn-rs, etc.) and follow NIST/CISA guidance.

Proof scenarios and quantified outcomes

Scenario A - Medication cart tablet

  • Baseline: 25 staff, each logs in 10 times per day using passwords. Average login time including typing and 2FA: 45 seconds.
  • After passkeys: login time 10 seconds average; 35 seconds saved per login.
  • Weekly time savings: 25 staff * 10 logins * 35s * 7 days = 60,833 seconds ~ 16.9 staff-hours per week returned to care.
  • Security outcome: Removes credential capture threat for those sessions. Combined with device wipe on logout, local credential persistence drops to near zero.

Scenario B - Visitor check-in kiosk

  • Baseline: shared accounts with posted PINs or reused passwords.
  • After kiosk MFA QR flow: each visitor authenticates with phone or temporary OTP linked to their session; no credentials stored. Risk of lateral access falls dramatically.

Security metric expectations (realistic):

  • Credential-phishing attack surface for staff using passkeys: near zero for phishing-based credential theft (supported by FIDO and CISA guidance).
  • Mean time to detect compromised session when monitored by MDR: target MTTD decrease by at least 50% compared to unmanaged logs.

Common objections and direct responses

Objection 1: “Our residents or staff are not tech-savvy - passkeys will confuse them.” Response: Start with staff passkeys only and kiosk MFA for shared devices so residents do not need to manage keys. Staff training of 15-30 minutes plus cheat sheets reduces support calls by 60-80% in pilots.

Objection 2: “Legacy devices cannot run modern passkey flows.” Response: Use kiosk MFA flow with QR or temporary tokens that authenticate via staff phones. If a device is truly legacy and cannot be isolated, decommission it from the network or restrict it to read-only functionality until secured.

Objection 3: “Cost and time - we do not have weeks for rollout.” Response: Use a prioritized pilot on high-risk devices to achieve measurable wins quickly. The recommended pilot timeline is 2-8 weeks; early wins include fewer password resets and a lower number of helpdesk tickets.

Objection 4: “What about compliance and HIPAA?” Response: Passwordless and kiosk MFA reduce the risk of PHI exposure. Pair technical controls with logging, access reviews, and MDR monitoring to satisfy HIPAA’s security rule requirements and auditing needs. See HHS guidance in References.

FAQ

How does passkey-based authentication protect against phishing?

Passkeys use cryptographic assertions bound to the site origin. Because the private key never leaves the authenticator and assertions are tied to the relying party, a phishing site cannot replay or request valid assertions. See FIDO Alliance and CISA for technical details.

Can we use hardware tokens instead of phones?

Yes. Hardware security keys (YubiKey and others) are supported by FIDO2 and provide strong phishing-resistant authentication. They are robust for staff who prefer a tactile key and for environments where phone policies are restrictive.

What happens if a staff member loses their authenticator device?

Implement a recovery and reprovisioning policy: staff verify identity via a short in-person or documented process, then revoke the lost credential in the IdP and register a new passkey. Ensure MFA recovery aligns with your risk tolerance.

Will passkeys work with our EHR and EMR systems?

Many modern EHR integrations work with standard SAML/OIDC IdPs that support WebAuthn. For legacy EHRs, place an authentication gateway in front that handles passwordless login and then provides audited SSO into the EHR.

Do we need to replace all devices at once?

No. Use a phased rollout. Start with high-risk shared devices and staff groups. Keep legacy systems isolated until they can be remediated.

Get your free security assessment

If you want practical outcomes without trial-and-error, schedule a 15-minute scoping call and we will map your top risks, quickest wins, and a 30-day execution plan. For a focused assessment specific to shared devices, consider booking the CyberReplay shared-device risk assessment: Shared-device risk assessment.

If you prefer a rapid self-assessment before committing to a call, use the CyberReplay scorecard to get a quick view of shared-device exposure and recommended next steps: Shared-device scorecard.

These links provide direct next steps for prioritizing passkeys and kiosk MFA for your facility.

Next step - recommended assessment and services

If you want immediate, measurable improvement with minimal disruption, run a focused shared-device MFA assessment and pilot:

  1. 3-day shared-device risk assessment - inventory, gap analysis, and prioritized rollout plan. (This gives a clear scope and 90-day roadmap.)
  2. 2-week pilot deployment - passkeys for staff and kiosk MFA for one device type with integrated MDR monitoring.
  3. Ongoing managed detection and response - 24-7 monitoring and playbooks covering credential misuse and device compromise.

Actionable links:

CyberReplay can perform the shared-device assessment and manage the MDR onboarding. Learn more about tailored security services at CyberReplay - cybersecurity services and start with managed detection options at CyberReplay MDR.

References

(These source pages are authoritative vendor or government guidance pages relevant to shared-device MFA nursing home projects.)

Common mistakes

These frequent errors slow or break shared device MFA nursing home projects. Avoid them during planning and pilot phases.

  1. Treating kiosks like personal devices. Shared terminals must be configured as ephemeral session hosts. Mistake: enabling local accounts or persistent profiles that retain credentials between sessions.

  2. Relying on weak fallbacks as the primary path. Mistake: making SMS the standard fallback for kiosk authentication. SMS is vulnerable and should only be a controlled exception with strong logging and limited PHI access.

  3. Skipping the integration test with EHR workflows. Mistake: deploying passkeys at the IdP level without testing SSO flows into the EHR, which can create blocked workflows at point of care.

  4. Not instrumenting session events. Mistake: assuming MFA solved the problem and omitting session start/stop telemetry to the MDR. Without telemetry, you cannot tie authentication failures to risky activity.

  5. Poor training and cheat-sheet availability. Mistake: expecting instant adoption without brief staff training sessions and visible quick-reference cards on carts and nurse stations.

Avoiding these mistakes will make shared device MFA nursing home rollouts faster and less disruptive.

Quick reminder: if you identified your facility in the “When this matters” triggers, follow the action links in the Get your free security assessment and Next step sections to start remediation within 30 days.

When this matters

This project matters now in facilities where shared terminals are a primary access path to PHI or clinical workflows. Prioritize rollouts when any of these are true:

  • Shared terminals regularly access EHR or medication administration systems and are used by multiple staff per shift.
  • Passwords or PINs for kiosks are visibly posted, reused across devices, or shared verbally during shift handoffs.
  • Helpdesk load during shift changes is high and a large percentage of tickets are password resets or account unlocks.
  • You lack session-level telemetry for shared terminals or they are not currently monitored by an MDR service.

If one or more conditions apply, take one of these immediate next steps:

These are practical, low-friction ways to decide whether to pilot passkeys and kiosk MFA at scale in your facility.