Semi-Automated Multi-Factor Authentication for Industrial PCs

Industrial PCs (IPCs) require encryption and multi-factor authentication (MFA) for much more critical reasons than standard office PCs—they are the digital bridge to the physical world, controlling machinery, power grids, water treatment, and manufacturing lines. The primary reasons are Protecting Operations, Data Integrity, and Regulatory Compliance.

This article is specifically about the Unlock Anywhere® solution for Windows devices. Industrial PCs (IPCs) often run Windows for control, monitoring, or HMI (Human Machine Interface) applications, which means this solution is directly applicable. Here is how the Unlock Anywhere® solution can be used to protect industrial PCs that require Multi-Factor Authentication (MFA).

The Unlock Anywhere® solution can provide a robust, passwordless MFA layer for industrial PCs by securing the device at the pre-boot stage, which is a critical advantage in industrial environments.

• Pre-Boot Security: Industrial environments demand high uptime and security. By implementing Unlock Anywhere®, the IPC is secured before the Windows OS and any control software (like SCADA/HMI applications) even start. This is a crucial security advantage over solutions that only activate after Windows loads.
• The Two Factors:
  • Factor 1 (Device Authorization): The IPC requires the unique, cryptographic Network Boot-Key from the cloud service to unlock the BitLocker encryption and initiate the boot sequence. This ensures the physical device is authorized by the central IT/OT administration.
  • Factor 2 (User Authentication): Once Windows starts, the user must provide a second factor to log in. This can be a password or, ideally for a clean-room/hands-free environment, a Windows Hello biometric option (like facial recognition). This combination achieves true MFA for every system start and user login.

• Passwordless MFA: In industrial settings, passwords can be weak, shared, or written down, increasing risk. Unlock Anywhere® eliminates the password as the primary authentication vector for device access. The combination of the passwordless boot key and, for example, a Windows Hello biometric login achieves a fully passwordless and phishing-resistant MFA process.
• Physical Protection: The integration with BitLocker and pre-boot protection prevents attackers (or unauthorized personnel) from accessing company data, control programs, cached network credentials, or sensitive configurations via physical access or external boot media—a potential risk on a factory floor.

• Flexible Access (Online/Offline):
  • Online IPCs: If the IPC has a stable network connection, it automatically requests the boot key at startup (Online Authentication by Network Boot-Key).
  • Offline IPCs: For IPCs on segregated or air-gapped networks, the QR-Code One-Time Boot Code feature ensures continued secure access. An authorized technician can use a smartphone to scan the code, get the OTP, and manually unlock the PC without needing a persistent network connection to the cloud for the IPC itself.
• Centralized Control and Incident Response:
  • The cloud console allows OT/IT administrators to instantly lock a compromised, lost, or decommissioned IPC. Because every single start requires a new, authorized key/code, the lock function is effective even if the IPC is disconnected from the network.
  • The Compliance Dashboard provides a centralized, auditable log of every boot process, which is essential for meeting regulatory demands like NIS-2 and ISO 27001 for critical infrastructure.

In summary, for an Industrial PC, a security failure is not just a data breach; it can lead to physical damage, production downtime, environmental hazards, or risks to human safety. Encryption and MFA are non-negotiable layers of defense against these catastrophic consequences.