The Unpatchable User: The Case for Continuous Device Security

The Human "Jane" Dilemma

Jane loves to play Pumpkin Smash. It’s her favorite game, but it’s not being updated anymore, and so if Jane updates her phone’s operating system, she’ll lose the app. Jane never updates. You would have to pry her phone from her cold dead fingers before it will ever see iOS 26.

Meanwhile, the number of well-known zero-day vulnerabilities in her outdated OS is more than the stars in the sky. The good news is if she ever forgets her email password, any hacker in the world could help her get access back!

There are many Janes at many different companies. They bring their own devices, and they expect to be able to do daily tasks at work with them. Jane needs to be able to do non-critical work stuff like ordering lunch and paying for car charging. Meanwhile, Jane’s company wants to be able to see and auditably prove that Jane’s device is staying out of critical systems where it doesn’t belong. How do we reconcile the two needs?

Why do static access policies fail in modern environments?

For users like Jane, static access policies that grant or deny access based on a one-time check are woefully inadequate. These outdated policies fail to account for the context of the device or the sensitivity of the task, allowing Jane’s vulnerable, unpatched phone to access systems it shouldn’t, like financial records, while potentially blocking her from harmless tasks.

Additionally, passwords and basic two-factor checks don't work anymore. They verify Jane once and then ignore whatever her device is doing, so her outdated phone, full of security holes, can still access important stuff.

Moreover, tools like MDM are fine for company devices but do nothing for personal phones or some contractor's Linux laptop. That leaves openings for hackers to steal credentials or slip in. We need security that keeps watching and adjusts based on the device and what it's trying to do.

How does dynamic access control solve this problem?

Dynamic access control, in contrast, continuously evaluates the device’s security posture and the user’s intent in real time, adapting permissions based on factors like OS version, patch status, or the resource being accessed. This fluid approach ensures Jane’s outdated device is restricted from critical systems while still permitting non-sensitive tasks, reducing risk without disrupting productivity. Such continuous, context-aware security is vital to balance usability and security.

But dynamic control on its own is only one part of the equation. To truly secure a modern enterprise, this real-time intelligence cannot operate in a silo. It must be part of a universal framework that extends across every device, integrates with the entire security stack, and is enforced by phishing-resistant authentication.

What is required for a universal device security solution?

Achieving continuous, universal device security demands comprehensive coverage across all platforms, including Linux, which is critical for organizations with diverse ecosystems like research labs or devops environments where Linux workstations and servers are prevalent. Jane’s outdated phone is just one piece of a broader device landscape.

To be truly universal, a security solution must also integrate seamlessly with the tools an organization already uses. Instead of relying solely on detection and response, it should be able to ingest real-time risk signals from endpoint security platforms like CrowdStrike, Jamf, and JumpCloud. Feeding device compliance or threat indicators directly into the authentication process allows organizations to proactively block vulnerable devices from accessing sensitive resources.

Finally, this entire framework must be grounded in strong, phishing-resistant authentication. A robust policy engine must be capable of enforcing rules across all operating systems, using modern credentials like device-bound passkeys to ensure that a compromised or non-compliant device simply cannot access critical systems. This continuous, universal approach is the backbone of a true Zero Trust security posture, protecting the organization from its weakest link...the vulnerable device.

About Beyond Identity

Beyond Identity tackles the challenge of securing users like Jane with phishing-resistant, passwordless MFA using device-bound passkeys stored in secure hardware, and a robust policy engine that ensures her outdated phone can’t access critical systems. Our platform continuously monitors device posture across all operating systems, including Linux, and integrates with tools like CrowdStrike to block risks in real time, reducing breaches, simplifying compliance, and keeping productivity smooth. In a world where hybrid work and diverse devices are the norm, this continuous, universal approach is the backbone of Zero Trust security.

Don’t let vulnerable devices be your weak link. See how we can protect your organization while keeping your Janes ridiculously happy.