Clinicians typically use several apps throughout their day, and that is likely to continue as the number of healthcare-focused apps increases. The time it takes to type in passwords for those apps can add up, even if an organization uses a single sign-on solution, making entering passwords a tedious step in a clinician’s day that takes away from time spent caring for patients — not to mention that keeping track of unique, often complex passwords for different apps or systems can be a major hassle.
Passwords also create significant costs for health systems that must pay help desks to assist users in resetting their passwords over and over again. To make matters worse, passwords remain one of the most vulnerable authentication methods available
“The need to manage passwords and overcome problems related to them leads to massive frustration and lost productivity,” writes Jeremiah Salzberg, chief security technologist for CDW.
Because of the limitations and unpopularity of passwords, experts have been predicting their end for decades, but they’re still here. However, some advances in authentication technologies, including biometrics, the browser-based Web Authentication API and push notifications may offer an avenue for some organizations to finally go passwordless.
Click the banner below to learn how to get the most out of your zero-trust initiative.
The Promise of Passwordless Authentication
Password weaknesses have become more of an issue in recent years as cybercriminals have started using tools such as artificial intelligence to enhance their attacks. AI can be used not only for common attack techniques such as phishing but also for cracking passwords. Theft is another significant vulnerability for passwords: A March 2024 Keeper report revealed that 52% of IT leaders said their IT teams struggle with frequently stolen passwords. This is especially concerning when patient data is at risk.
The prospect of no longer having to deal with passwords holds significant appeal for healthcare IT professionals and users. In fact, 56% of internet users said they are excited about passwordless authentication, according to a 2023 Bitwarden survey.
This excitement is well founded, as healthcare organizations could see significant benefits from going passwordless. According to security vendor CyberArk, “Passwordless Authentication strengthens security by eliminating risky password management practices and reducing attack vectors. It also improves user experiences by eliminating password and secrets fatigue.”
LEARN MORE: IAM solutions help authorized users access data and apps simply and securely.
Tools That Support Passwordless Authentication
A variety of technologies have emerged to help organizations achieve their passwordless objectives. One example is biometric authentication. According to security vendor Okta, “Biometric authentication is a security process that uses unique biological characteristics like fingerprints, eye patterns, facial recognition, and voice analysis to confirm and verify a person’s identity before granting them access to a physical space or digital system.”
Biometric solutions can provide a higher level of security because the unique identifiers they rely on are difficult to replicate or hack. They also are generally faster and more convenient for users than many other authorization techniques, which improves the user experience and gives clinicians more times to focus on patient care. This makes it simpler for a healthcare organization to implement continuous authentication, where identity is verified at regular intervals while users are logged in to a system, improving security.
Push notifications are another tool for passwordless authentication. Solutions such as Microsoft Authenticator can send a push notification to a user’s registered mobile device. The notification includes details about the authentication attempt and enables the user to approve or deny it.
Passwordless authentication can also be enabled by the Web Authentication API (also known as WebAuthn). This application programming interface, which was created by the FIDO Alliance and World Wide Web Consortium, enables an organization to authenticate users via public key cryptography instead of passwords. By creating a private-public key pair, the API allows a server to deploy strong authenticators built into devices to verify the identity of authorized users.
Several other tools — including smart cards, QR codes and mobile one-time passcode generators such as Google Authenticator — can also help healthcare organizations establish passwordless authentication. Experts suggest that organizations start looking now at how they might deploy solutions such as these to finally rid themselves of the headaches that passwords have created for decades.
“The time for passwordless authentication is here, and organizations should start moving toward it,” CDW’s Salzberg writes. “We still face some challenges to getting rid of passwords altogether, and we need to ensure we are using the most secure multifactor authentication options for our most critical systems.”
UP NEXT: Make passwords a thing of the past with Ivanti Zero Sign-On.
