What are the main password risks of BYOD?

The primary BYOD credential risks are: credentials saved in the personal browser's autofill (accessible to anyone who uses the device, retained after the employee leaves), mixing personal and work accounts in the same password manager (the personal manager is outside the organisation's control and recovery), malware on personal devices capturing keystrokes or clipboard contents, and unauthorised access to work systems if the device has no screen lock or weak PIN.

Can we require staff to use our company password manager on their personal devices?

Yes, this is standard in BYOD policies. The business password manager app is installed on the personal device, but it only gives access to work credentials — personal credentials remain separate. This is the critical difference from asking employees to add work credentials to their personal manager. Business managers like Bitwarden Business and 1Password Business can be configured to not allow work credentials to be exported or viewed outside the app.

What screen lock requirements should we enforce for BYOD?

BYOD policies should require a minimum screen lock of a PIN of at least 6 digits, a biometric (fingerprint or Face ID), or a strong password. 4-digit PINs are easily guessable or observed. Automatic lock after 2-5 minutes of inactivity is appropriate. Some organisations enforce this technically via Mobile Device Management (MDM); others rely on policy and training. MDM is more reliable for compliance purposes but requires the employee to enrol their personal device, which some staff resist.

Should BYOD employees use a VPN?

Yes, a split-tunnel VPN that routes corporate traffic through the company network (or Zero Trust access proxy) is the minimum for devices accessing internal resources. For cloud-only organisations, Conditional Access policies — which check device compliance (screen lock, disk encryption, current OS) before allowing login — are an alternative that does not require a VPN and works well for Microsoft 365 and Google Workspace.

How do we revoke BYOD access when an employee leaves?

Revoking BYOD access requires: removing the employee from the company password manager (which revokes access to all shared credentials); disabling their SSO account (which prevents login to all SSO-connected services); revoking their MFA tokens; and, if MDM is enrolled, remotely wiping corporate data from the device. The most critical revocation is the password manager and email account — these are the keys to everything else. Have the IT off-boarding checklist completed on the final working day.

BYOD Password Risks and How to Mitigate Them

Bring Your Own Device policies are common in SMEs where providing every employee with a company device is cost-prohibitive. They create a complex security environment where corporate credentials exist on a device the organisation does not control, running software it has not vetted, on networks it cannot monitor. With the right controls in place, BYOD is workable; without them, it is a significant credential security risk.

BYOD Credential Risks by Category

Risk	How it manifests	Control
Browser autofill spillover	Work credentials saved in personal browser profile, accessible to family members	Mandate company password manager for all work credentials
Retained access after leaving	Employee still has work credentials on personal device months after departure	Revoke password manager access on last day; change shared credentials
Personal device malware	Malware capturing keystrokes or clipboard on a personal device used for work	MDM with malware detection; require up-to-date OS; block side-loaded apps
Weak screen lock	Physical device access gives access to work apps	Policy and/or MDM requiring strong PIN or biometric
iCloud/Google backup of credentials	Work credentials backed up to personal cloud account outside company control	Configure password manager to prevent backup; use business app not personal

The Minimum BYOD Policy Requirements

All work credentials accessed exclusively through the company password manager app, not the personal browser or personal password manager
Screen lock with PIN of at least 6 digits or biometric, auto-lock within 5 minutes
MFA enabled on all work accounts accessed from the personal device
Disk encryption enabled (standard on iOS; Settings → Security on Android)
Written agreement at onboarding that the company may require remote wipe of corporate data on departure

Practical tip: The most cost-effective BYOD security control for most SMEs is a business password manager with a clear usage policy. It solves the credential separation problem without requiring MDM software, which many employees resist installing on personal devices.

BYOD mobile security remote access credential security MDM

For informational purposes only. Consult a qualified IT security professional for advice specific to your organisation.

← HR Security Onboarding: The Password Checklist