4 reasons two-factor authentication isn’t a silver bullet

Hacking remains a constant threat, but with each security lapse, we learn something important about the shortcomings of our current data protection methods. In October 2017, for example, hackers exposed the personally identifiable information (PII) of 18,470 patients at the Henry Ford Health System in Detroit after stealing employees’ emails. With only a single layer of authentication protecting the data, the thieves could easily break into the system. 

This isn’t uncommon: Verizon's data breach report found that 81 percent of all breaches are caused by stolen or weak credentials. And the healthcare industry is particularly vulnerable: In 2017, the number of data breaches totaled 328 worldwide, costing an estimated $1.2 billion. To put that into perspective, consider that the second-most vulnerable industry-technology-experienced only 48 breaches in the same year.

To protect patients’ health records, many organizations have turned to two-factor authentication to maintain data security. The goal is to go beyond passwords and add something unique to the user-making it harder for thieves to spoof.

To meet HIPAA authentication requirements, each factor must be one of the following: a password or security question, a signature or biometric (e.g., fingerprint, voice print, or iris pattern), or a mobile number to receive SMS codes. If a hacker can obtain a password but access also requires an SMS text code, the thinking goes, the organization’s data should remain secure.

However, two-factor authentication isn’t a silver bullet against all security breaches, and even though two methods are better than one, neither is truly foolproof. When implementing two-factor authentication, be wary of these shortcomings:

1. Text codes are convenient but susceptible. 

SMS text codes are one of the most popular authentication methods because of their convenience. Our phones have become an extension of ourselves, and it wouldn’t take long to realize it was missing. But if it doesget stolen, cybercriminals are instantly closer to infiltrating your healthcare organization. In some cases, thieves don’t even need the physical phone. There have been reports of hackers tricking mobile carriers into rerouting calls and texts to another number, after which they change passwords on accounts that use the number as a security backup. 

The mobile market doesn’t have much incentive to increase security, either. Two major networks dominate the market, and the industry has remained one of the slowest to conform to two-factor authentication standards. This means that even if an employee receives the code, hackers could still exploit the network’s vulnerability. 

One solution is to use a time-sensitive code that expires after being sent, shortening the window of time thieves have to hijack the SMS service. You can also add an additional layer of security with 2D codes-square bar codes that read both horizontally and vertically-that hospital employees scan with an app, such as Google Authenticator, before generating the text.

2. User fatigue is a real problem.

Two-factor authentication promises an additional layer of security, but compliance can be burdensome. Perhaps that’s why Google recently revealed that less than one in 10 users have enabled the free two-factor authentication measures it offers. 

Hospital staff members are constantly pressed for time, and the idea of taking extra steps, even if they’re for a good reason, won’t sound appealing. As a result, they’ll be keen on finding ways to get around their own two-factor authentication to save time-making mistakes or ignoring some of the processes altogether. This can cause technical errors and bog down the tech help desk, giving hackers a weak link to exploit. 

To reduce fatigue, personalize two-factor authentication with adaptive risk assessments that analyze each user’s IP address, location, device, and credential behavior every time he or she signs in. The second authentication will only be triggered if an anomaly indicates a potential risk rather than every time an employee signs in. 

3. Trusted devices create liability.

When you label devices as “trusted” within your network, they only require two-factor authentication periodically. If access to the trusted device is compromised, two-factor authentication loses its value. The device doesn’t need to be stolen to be comprised, either. Organizations often forget to update their trusted devices list when employees leave or when devices are lost. As long as those devices remain trusted, they’re a huge liability. 

In addition to routinely updating your list of trusted devices, you can encrypt and password-protect them for added security. You might even consider putting a time limit on how long devices are considered trusted. Limiting who can view sensitive information by implementing role-based access to patient records and protected health information is another way to protect data. 

4. You’re never fully protected.

Once you see improvement in user engagement and lower security risks, it’s easy to become overconfident in your security measures. Remember that two-factor authentication is not people-proof and security threats are constantly evolving. 

An excess of confidence leaves your employees more likely to take the bait of a crafty scheme, especially now that phishing attacks are sneakier than ever. For example, a hacker recently compromised LinkedIn’s two-factor authentication measures by sending seemingly authentic emails to users. Those who opened the link were sent to a fake login screen, where they completed the two-factor authentication process. Hackers could observe and record the session’s cookies and then use them to act as authenticated users.

The trick worked because the only difference between LinkedIn and the email’s origin was an L in place of an I in the URL. Details like this are easy to miss, so make sure every employee carefully examines the origin of any unsolicited or unexpected email-even if it seems authentic.

Two-factor authentication is a significant step toward protecting your organization, but it doesn’t change the fact that healthcare remains one of the most vulnerable industries. Follow the strictest precautions possible, even after implementing two-factor authentication, and utilize additional features to help build up the security it already provides.

Hoala Greevy is the founder and CEO of Paubox, the leading provider of HIPAA-compliant email services. A serial entrepreneur, Greevy also founded Pau Spam, an email filtering software service.