User Login, Logout, and Authentication
Access to beemNet is secured to protect your company’s most valuable digital assets. That’s why every user must log in before connecting. The way you log in depends on the beem Security Edition your company uses and whether your company manages logins internally or relies on beem’s built-in options. If you are unsure which method applies to you, please contact your beem administrator for guidance.
User Login
The login process is the first step in accessing the beemNet. It ensures that only authorized users can interact with the beem app, the beemNet and its services. How users are identified depends on the beem Security Edition deployed by your organization. Each new login applies a default configuration defined by your beem administrator.
Users of the beem Essential Security Edition identify themselves using a Swiss mobile phone number. This number must be capable of receiving SMS messages. All major Swiss mobile providers are supported. On the welcome screen, select Log in with Phone number to authenticate using a Swiss mobile number.
For users of the beem Basic, Plus, or Premium Security Editions, login is managed through enterprise credentials. By default, these credentials are based on a Swisscom Business Account or other authentication methods provided by the user’s organization.
- Swisscom Business Account usernames follow the syntax of an email address, e.g., susi.schwyz@company.beem.swiss.
- The login process begins at the welcome screen.
- If the user selects Log in with Phone number, they will receive an SMS containing their username.
- To proceed, users of the Basic, Plus, or Premium Security Editions should choose Log in with Username
- For Swisscom Business Accounts, this triggers password-less authentication.
- For other enterprise credentials, the app will prompt the user to enter their credentials, which are then verified through the organization’s identity provider.
Further details on login for beem administrators
The beem tenant is chosen automatically based on the username. Hence, beem employs the widely used User Principal Names (UPN) schema for usernames. Therefore, we assume that beem users are equipped with usernames or a UPN whose syntax is like an email address. For example, jane.doe@company.com It's important to note that while a UPN can also be an email address linked to an email server, it doesn't have to be.
The suffix following the @ is particularly important. UPNs follow the same conventions as the internet's domain name system. This suffix, known as the domain, is globally assigned to a beem tenant and serves as the foundation for the beem's app auto-discovery feature. This ensures that users don't need to know any configuration parameters. Knowing their username is sufficient.
WARNING
UPNs must always be specific to a tenant when using the beem app. This requirement does not apply to other access methods, such as the beem Application Portal or the Captive Portal.
The beem app includes a manual connection feature, which entails manual login. This feature is intentionally kept "hidden" from end-users due to its complex technical nature, as it is expected to be used infrequently and primarily for diagnostic purposes.
To access manual connection:
Start from the Welcome Screen and choose one of the login options:
- Log in with Username or
- Log in with Phone number.
Open the Settings Menu:
- Tap the ☰ icon in the upper right corner of the home screen.
Navigate to the Manual Connection Option:
- On most devices: ☰ → Imprint → Manual connection
- On macOS: ☰ → General → Imprint → Manual connection
INFO
A manual connection is only required in exceptional cases and requires specific technical parameters. If a manual connection is truly necessary, Swisscom or your implementation partner will contact you directly.
Authentication
Authentication is a core security feature of the beem app. It verifies the identity of users and ensures that only authorized individuals can access sensitive features and data within the beemNet.
In the beem Essential Security Edition, authentication is performed using a one-time verification code sent via SMS. Entering this code completes the authentication process and advances the login. If the code is not entered within 10 minutes, the authentication will time out. Depending on the client operating system, if you see the “Authentication Timeout” screen, there will be either a close X button in the top right corner or a back ← button in the top left corner. Clicking or tapping this button will return you to the login screen, where you can try to authenticate again.
Using SMS and one-time verification codes for authentication is simple and effective for individuals or small teams. However, it is considered weak from a security standpoint. The primary purpose of the Essential Security Edition is to protect users from online threats and to ensure secure and private browsing. Hence, it may still be deemed insufficient as it does not safeguard access to company data and business applications.
In the higher-tier Security Editions Basic, Plus, and Premium, authentication is integrated with enterprise systems. Users log in using credentials and authentication methods managed by their organization or, by default with a Swisscom Business Account. Both variants support centralized user management and enhanced security policies. Authentication must occur within 10 minutes, or it will time out.
When using Swisscom Business Accounts, authentication is fast, safe, and easy thanks to passkeys technology, which eliminates the need for passwords. This method is considered highly secure because it addresses key weaknesses of traditional multi-factor authentication (MFA). With MFA, users can still be tricked into approving fake login requests or entering codes on websites that only appear legitimate.
Passkeys eliminate these risks by offering a phishing-resistant and seamless login experience. The security level can be further enhanced by combining passkeys with Device Management as there we document a user-focused view on the topic and/or by using hardware keys. For more details, please refer to the documentation on supervised passkeys and hardware passkeys.
Re-authentication Mechanism
The beem app includes a built-in mechanism to periodically prompt users to re-authenticate. This interval is configured by the beem administrator and helps maintain session integrity and compliance with organizational security standards. Users receive a system notification 15 minutes before re-authentication is required. When prompted, users must verify their identity again via SMS, authenticate via a passkey, or re-enter their corporate credentials, depending on the Security Edition and configuration at hand. It is important to note that re-authentication does not necessitate or imply a logout; rather, the user remains logged in but is no longer authenticated. Authentication must be completed within 10 minutes, or it will time out.
When there is no authentication the behavior of the beem app depends on the “Always On” and “Fail-Mode” choices of the beem administrator. To learn more about “Always On,” “Fail-Open,” and Restricted or Limited Access while “Fail-Close” applies refer to Always On & Untrusted Networks.
WARNING
If the user is not authenticated, network traffic cannot be routed through beemNet. As a result, the app behaves as if disconnected from beemNet: protected business applications become unavailable, and Internet access may be either unsecured or completely inaccessible.
On macOS and Windows, if there is no valid authentication, the beem app automatically opens, prompting for authentication, and the status icon in the menu or tray bar turns red. If authentication times out while your computer is off or in sleep mode, the user will be prompted to authenticate upon restarting the device.
On iOS, iPadOS, and Android, a notification is sent instead. When the user taps on the notification or opens the beem app, they are prompted to authenticate. If authentication times out while your smartphone or tablet is off or in sleep mode, the user will also need to either tap the notification or open the app manually to authenticate. Therefore, it's important to remember to check for the notification or open the app after restarting the device.
User Logout
To log out of the beem app, users must navigate to the settings menu ☰ in the upper right corner of the home screen of the app and select the Log out option. This action is confirmed through a prompt to prevent accidental logouts. Logging out resets the app to its default state. All user-specific and administrator-defined settings are cleared. This includes custom configurations, preferences, and any temporary session data. Upon the next login, the app will reapply the default configuration as defined by the beem administrator.
Users are advised not to log out unless absolutely necessary. Common reasons for logging out include switching to a different account or resolving authentication issues. Since logging out removes all personalized settings, it is generally better to remain logged in and rely on the app’s automatic re-authentication mechanism.
Who Am I Logged in as?
If you want to check which username or phone number you used to log in to the beem app, just open to the settings menu ☰. At the top of the screen, you’ll see the current login credentials being used by the app.
Further details on Identity Federation for beem administrators
If an organization wishes to federate their existing Active Directory, Entra ID, or similar directory services, this can be achieved. Please reach out to your implementation partner or Swisscom for assistance.