Security

Security through controlled operation

DeskBridge treats access, identity, support and evidence as one security surface.

Controls

  • MFA and identity routing
  • FIDO2/WebAuthn security keys and passkeys where supported by the client access route and service design
  • Role and expiry-based access
  • Helpdesk-backed changes
  • Offboarding proof
  • Evidence packs and management reporting

FIDO2 and passkey position

DeskBridge can support phishing-resistant authentication through FIDO2/WebAuthn security keys and passkeys where the user device, browser, identity route, enrolment process and recovery model support it. TOTP and recovery codes may remain in scope for compatibility, recovery or staged rollout. DeskBridge does not claim every deployment is passwordless-only unless that has been explicitly scoped, tested and recorded.

Data access assurance models

DeskBridge offers three key custody models. The right answer depends on how much managed-service support the client wants compared with how much direct control the client wants over protected data access.

DeskBridge Managed Keys

Best fit: Core Workspace and Managed Business Workspace clients who want normal managed-service support, recovery and migration capability.

  • DeskBridge operates encryption and recovery controls under role control, approval, audit logging, support records and change evidence.
  • Authorised privileged data access should be tied to audit, support or change records, with the purpose, operator, scope and timing recorded where the service path supports it.
  • Caveat: privileged DeskBridge operators may technically access protected service data where required for authorised support, recovery, migration, security or lawful operation.

Customer-Controlled Keys

Best fit: Assurance clients, regulated clients and clients needing stronger approval over protected data access.

  • The client controls key release or approval while DeskBridge operates the service.
  • Caveat: restore, migration, search, malware scanning, legal hold, support investigation and incident response may require client participation. Delayed key release can affect service levels.

Customer-Held / Zero-Knowledge Keys

Best fit: high-assurance, legal, defence-sensitive, sovereign or board-level assurance requirements where the client accepts reduced managed-service capability.

  • DeskBridge does not hold usable decryption keys for protected data covered by the model.
  • Caveat: lost keys may mean unrecoverable data. Some server-side features may be unavailable, reduced, or delivered client-side only.

Key-control trade-off

Stronger client key control reduces DeskBridge's ability to inspect, recover, search, scan, migrate or troubleshoot protected content without client participation. DeskBridge does not claim total privacy, perfect confidentiality or guaranteed zero access; final commitments are confirmed in the signed proposal and service design.

Next step

Plan the right workspace

Tell us the team size, access risks, applications, support expectations and audit requirements. DeskBridge will map the right package before deployment.