Why Two-Factor Authentication is a Statistical Necessity
To minimize risk, two-factor authentication has become a necessity and is now generally being adopted. Two-factor authentication is the combination of two out of the three possible methods (something you know, something you have, something you are).
One basic example is ATM access which requires a card (something you have) and a PIN (something you know). In healthcare provider settings, the two authentication factors most commonly used to secure data are the proximity card that the clinician already uses to access the facility and a PIN or password. To log on, all the clinician needs to do is tap a card and type a PIN.
But what sacrifices have been made to make access to data this simple? Has security been sacrificed to ensure rapid clinician adoption?
Dissecting the prox card – are traditional methods good enough?
Unfortunately, using a proximity card plus a password is not as secure as people may hope. Authentication with an RFID proximity card and a password is better than a username and password, but it is far from secure. Proximity cards have been in use for more than 30 years for physical access control and are now used to authenticate to networks and single sign-on systems in addition to their role in physical access control. But is it really the best choice for logical access control in healthcare settings?
Proximity cards use a static number, called a card serial number (CSN), that is sent over the air, unencrypted, to a reader. This number is correlated to a user’s identity. In other words, the static CSN acts as a username and, with the password or PIN, the two are used to unlock a user’s desktop or single sign-on session. In combination with a static CSN, newer RFID contactless cards offer the capability to write and store data on a card, encrypt data at rest and in transit, and securely exchange this data.
Yet these features are typically only used for physical access control and are not used for desktop authentication. These higher security features must be implemented in cooperation with the card vendor, decrease the speed at which a user is recognized and limit the interoperability of the system with various card technology. For these reasons, most authentication software utilizes the CSN irrespective of what card technology is used.
In short, the common denominator is the card serial number which is fast and interoperable. Unfortunately, the CSN is an unencrypted static number which can be simply copied or cloned. Is a static card number plus a password any more secure than the former username/password model that it replaced?
The majority of single-sign on solutions also offers the capability to use either a proximity card with no PIN as an authentication method or use a “grace period” feature that bypasses the need to enter a password for each logon event. At the start of the day, a card and password is required but, for the next 4-8 hours, only the card is required for authentication. When no password or PIN is required for user authentication, if a card is lost or stolen, it can be used by anyone – even without a password.
Security vs. convenience: users should not have to choose!
The reality is that security has taken a backseat to workflow at every stage. Proximity cards were never designed to protect networks, applications and sensitive data, yet many organizations rely on this technology to protect their most critical assets.
What is the alternative? It must be as or more convenient than using a card and password, and it must positively identify the person accessing the information. Something that the employee can share with others such as a username and password does not identify “who” without some level of doubt. Something that can be easily duplicated such as a static card serial number also does not absolutely identify “who.” Only through the use of a biometric can the authorized individual be positively identified to securely grant access while creating a record of the authenticity of the transaction.
Knowing “who” matters!
Fingerprint biometrics is the most widely used biometric technology. More convenient than using a card-based system, a fingerprint biometric authentication solution does not require the user to carry some other device, card or token. Requiring no more than the placement of a finger on a sensor, authentication using fingerprint biometrics enhances clinician workflow while delivering the level of security that is required to protect sensitive health information.
However, not all fingerprint biometric solutions are created equal. To maximize adoption, it is critical to select a fingerprint sensor that works in real-world environments and that can deliver consistent results irrespective of race, gender, age or physical conditions. To truly enhance workflow, the sensor needs to work every time, and for every user.
To address the shortcomings of conventional fingerprint technologies, a fingerprint technology has been developed that is able to work across the range of common operational conditions. Called multispectral imaging, this technology collects information about both the surface and subsurface fingerprint to capture reliable data every time, regardless of whether a user’s finger is dry, wet, dirty, slightly rotated or difficult to capture.
Multispectral imaging allows users to enroll and authenticate quickly and accurately every time, removing the need to call the help desk or use a secondary authentication method due to issues with the primary mode. Multispectral imaging enhances user adoption rates because it is simple, reliable and secure.
The time has come to replace an inadequate and archaic security solution with one that is truly tied to the individual. The threat landscape continues to grow along with the migration to electronic records and increased access to systems and information, meaning greater exposure to unauthorized access and cyber-attacks. Industry’s reliance on technology designed more than 30 years ago is not sufficient to protect us from the current threat landscape nor will it prevent new attacks. It’s time that we implement solutions that make no compromises and deliver both security and convenience.