Beyond Passwords & MFA: Why Device Filtering Matters
Strong passwords and Multi-Factor Authentication (MFA) are now considered the bare minimum for protecting organisational systems. These controls stop many attacks — but they don’t stop them all. In fact, attackers are increasingly shifting their focus away from simply stealing credentials and towards exploiting the devices people use to log in. A personal laptop that is missing critical security patches, a contractor’s phone without encryption, or an old desktop that hasn’t been properly registered can all become back doors into corporate systems. Even if the person logs in with MFA, the underlying device may already be compromised, leaving the organisation exposed. Device filtering addresses this risk by going beyond the “who” and adding the “what” — ensuring that only trusted, well-managed, and secure devices can access sensitive systems.
Breaches That Could Have Been Stopped
Breach 1: An Employee with a Malware-Infected Laptop
We have seen examples where accounts have been permitted access from computer makes and models that the company does not supply. A firm can suffer a data breach if an employee logs into corporate email from such an unmanaged personal device. Even though the employee may use MFA to log in, the compromised laptop can capture the session token. Attackers then bypass MFA and gain access to sensitive information.
Breach 2: A Threat Actor Logging In with Stolen MFA Credentials
In another scenario, a threat actor successfully phishes an employee, stealing both their username and MFA credentials. Instead of using the employee’s device, the attacker attempts to log in from their own machine. Without device filtering, this activity may appear legitimate, as the credentials and MFA check both succeed. Device filtering, however, would spot that the login is coming from an unrecognised and non-compliant device. Access could then be blocked, or restricted to read-only, preventing the attacker from fully breaching the system.
What is Device Filtering?
Device filtering (sometimes called “context-aware access”) means applying rules that decide:
- Should this device be allowed to access corporate data at all?
- Should access be limited to certain apps or functions if the device is personal or unmanaged?
- Should higher-risk devices have to meet extra requirements (e.g. re-authenticate, use stronger encryption, or be blocked altogether)?
Instead of a one-size-fits-all policy, device filtering allows organisations to tailor access based on real-world risk.
How the Big Players Do It?
Microsoft:
Microsoft’s identity platform lets organisations include or exclude devices from access policies based on their type, ownership (work vs personal), or how they were set up. This means company-owned laptops can get full access, while personal or unregistered devices can be restricted or required to pass extra checks.
Google:
Google offers “Context-Aware Access,” where managers can set rules such as: only allow access to Drive or Gmail from devices that are encrypted, updated to the latest version, and registered with the company. Contractors or unmanaged devices may be limited to web-only access or blocked from downloading files.
Both approaches give organisations far more flexibility than simply saying “yes” or “no” to a login attempt.
Key Governance Lessons & Recommendations
Keep policies clear and under control
Many organisations build up too many overlapping conditional access rules over time. This creates confusion about what is actually enforced and leaves space for mistakes. Simplify policies, give them clear names, and review them regularly to remove duplicates or outdated rules.
Tightly manage exceptions
Excluding certain accounts (like contractors, service accounts, or emergency “break-glass” accounts) may be necessary, but every exclusion creates a potential weak spot. Leaders should ensure all exceptions are documented, approved at the right level, and revisited frequently to avoid creeping risk.
Cover every type of user and device
Security rules must apply beyond employees. Guest accounts, third-party contractors, automated systems, and older applications often fall outside standard protections. Governance teams should confirm that these areas are included in access reviews and not left as blind spots.
Invest in proper device management
Device filtering only works if the organisation can clearly identify and manage the devices connecting to its systems. This means keeping an accurate register of company-owned devices, ensuring they are patched and encrypted, and deciding what level of access, if any, should be given to personal devices.
Monitor effectiveness and demand regular reporting
Boards and executives should ask for metrics that show how well policies are working — such as the number of blocked sign-ins from non-compliant devices, how many unmanaged devices are still in use, and how often emergency accounts are accessed. Regular reporting helps governance bodies confirm that access controls are effective and aligned with risk appetite. The shift from identity-only security (passwords and MFA) to identity plus device trust is now essential. Device filtering ensures that only secure, well-managed devices can connect to your systems, reducing the risk of attackers slipping in through unmanaged endpoints. For non-technical leaders, the message is simple: it’s no longer just about who logs in, but also about what they’re logging in from.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 