Ransomware attacks highlight critical need to move beyond just usernames and passwords
The ongoing successful ransomware attacks against hospitals demonstrate how two-factor authentication technologies could strengthen security postures, at least according to security vendors.
“Many ransomware attacks start with access to a client machine that then gets propagated throughout a network. But if additional protections were in place, the propagation is minimized and you are not left susceptible to a broader exposure to the ransomware,” said Marc Boroditsky, vice president and general manager of two-factor authentication security vendor Authy.
Boroditsky and George Brostoff, co-founder and CEO of SensibleVision, a multi-factor authentication security vendor that specializes in facial recognition technology, said that many healthcare organizations still rely on usernames and passwords alone.
The Office of the National Coordinator for Health IT tracks hospitals using two-factor authentication and said in a 2015 report that half of non-federal acute care organizations had the technology and, since that was up 53 percent since 2010, it’s a reasonably safe bet that even more hospitals have two-factor authentication today. Likewise, however, it’s expected that many do not.
Two factor authentication, by its very nature, is a stronger way of safeguarding networks, systems and sensitive health data. So, for example, in addition to “something you know,” which would be a username and password, a user would be required to provide “something you are,” a biometric measure like a fingerprint, for instance, or “something you have,” like a token.
That makes it much more difficult for a cybercriminal who can get past a username and password to gain access.
“In healthcare, workstations are key. And this is where two-factor authentication comes in,” Brostoff said. “The devices we access are the front doors to the house, and two-factor authentication creates a transparent and powerful lock for those front doors.”
The most common form of two-factor authentication today is sending a code via voice call, text message or e-mail to a user, who then enters the code where indicated. This is on top of a username and password, the first of the two factors of authentication. Authy now sends out these second-factor codes via mobile push notification.
“You receive a push notification like in a typical mobile app experience, but it carries a message asking you to Approve or Deny something,” Boroditsky said. “You just click Approve or Deny, and the security is based on relying on the fact the phone is in the physical possession of the user and they have secure access to their phone.”
SensibleVision, for its part, offers a biometric system for two-factor authentication that measures the distances between points on a user’s face to uniquely identify them from the camera in a mobile device or laptop or mounted on a PC.
“The whole time a clinician is in front of a device, we know who they are,” Brostoff said. “It eliminates the need to constantly re-authenticate when they issue a prescription or to have to put in a password again or to have a very short time that locks the device to meet HIPAA requirements.”
When first signing in using the facial recognition technology, which is the first factor of authentication, the system that first time asks the user to complete a challenge, which is the second factor of authentication.
“The user touches a series of secret shapes, touches the fingerprint sensor or does another security mechanism while their face is being scanned, so the two factors are something you are, your face, and something you know, the security challenge,” Brostoff said. “The multi-factor authentication takes place in one or two seconds.”
Critics of two-factor authentication say adding another factor to the security equation harms the user experience, adding a layer of security that gets in the way of a user. Two-factor authentication proponents have a simple answer for that critique.
“Two-factor authentication does hurt the system user experience, there is no doubt about it,” Boroditsky said.
But security is not intended to be convenient, he said.
“Where the world is today online, the sort of free-wheeling experience of decades ago is no longer possible for us to be able to conduct every aspect of our lives online without the expectation to take the extra step or two to protect online activities,” Boroditsky said. “The challenge is to make it as convenient as possible.”