In 2017, the National Institute of Standards and Technology released updated guidelines on passwords. NIST outlines guidance for securing digital identities and defines three assurance levels. Level 1 is the lowest level and should be selected only if there is minimal or no impact from a compromised account. Level 2 is the middle tier, and Level 3 is the top tier. This is for the most sensitive data and should require the use of an encrypted application providing a one-time passcode on a smartphone or fob that securely communicates with the server granting access. This demotes the password to being a gateway through which additional authentication is triggered. If a password is compromised, the additional factor is unlikely to also be compromised, and the account remains secure.
Fallacy: All multifactor authentication methods are equal
In most organizations, two-factor authentication is used because it sufficiently reduces the possibility of spoofing, hacking and interception.
A commonly used method is sending a code via SMS text messaging to a registered device. While text messages can be intercepted, it’s relatively rare and therefore moderately secure. The NIST Level 3 approach is to use a secure, installed app on a device that maintains communication between the server and the device through an encrypted channel. Many apps on the market do exactly this.
Biometrics are now commonly used to open smartphones with a fingerprint or log in to a computer with facial recognition. While these are popular with consumers, they are more challenging in healthcare. End users often wear masks and goggles (making facial recognition impossible) or gloves (inhibiting fingerprint swiping). In addition, they often don’t have their hands free to respond to a text message or push notification on their phones.
Biometrics also have another inherent risk: They can’t be changed. The danger of iris scans or fingerprints being stolen is an evolving possibility. Some privacy advocates are concerned about requiring the use of biometrics. Regardless, their use continues to expand as ethical concerns are discussed.