Multifactor Authentication – A key component of the STOP. THINK. CONNECT.™ Initiative

Michael Magrath, October 18, 2016

Too often security experts and security companies focus on the business to business (B2B) or business to government markets (B2G).  STOP. THINK. CONNECT.™ is the global online safety awareness campaign to help all digital citizens stay safer and more secure online addressing the consumer.

Last month, the White House and the National Cyber Security Alliance (NCSA) launched “Lock Down Your Login,” a STOP. THINK. CONNECT.™ Initiative.  “We were basically approached by the White House. The president wanted to do something on online security education and awareness, and the White House thought strong authentication was an important point to stress,” Michael Kaiser, the NCSA’s executive director, told CBS News.

Kaiser said the “Lock Down Your Login” campaign will urge consumers and businesses alike to be more cognizant of the security threats posed by traditional username-password combinations that many cybersecurity experts see as behind the times in the face of increasingly sophisticated and widespread hacks. The NCSA reports that an incredibly high 72 percent of all Americans believe that their accounts are already secure with just a username and password.”

“Lock Down Your Login” recommends that you as consumer “fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.”  I would also add healthcare records to that list given the personal nature of health information and the wealth of personally identifiable information they contain.

On October 4, the Healthcare Information and Management Systems Society (HIMSS) North America and the NCSA released “2016 Practical Tips on Safeguarding Information for Healthcare Organizations”.  Among the tips, “Use multi-factor authentication”. Use two different factors of something you know, have, and are.

The HIMSS/NCSA tip sheet supports HHS’s Office of the National Coordinator for Health IT’s (ONC) strategic roadmap milestone of “Verifiable Identity and Authentication of All Participants” calling for strong authentication to access patient portals in lieu of passwords to reduce vulnerabilities in identity theft and for health care organizations to implemented identity proofing and authentication best practices.

Earlier this year the HIMSS Identity Management Task Force, which I Chair, published identity proofing and authentication recommendations for patients accessing their health information electronically. Included in the guidance are discussions about how to conduct identity proofing and authentication at a high level of confidence, with the smartphone as the key use case, how to handle delegating access to patient information and addressing situations where a user would like to remain anonymous.

Virtually every industry is prone to cyberattacks, online fraud and identity theft.  For years’ banks have secured online transactions for commercial accounts and private banking customers via multifactor authentication.  Now through organizations like the NCSA and HIMSS, multifactor authentication may finally become mainstream in industries including healthcare, personal banking, e-commerce, education and online gaming.  Having the White House leading the charge can’t hurt.

Michael Magrath is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).