Sunday, December 6, 2009

Strong Identity Management and Two Factor Web Authentication in Healthcare

Here's a very good article concerning the various types of strong identity management, multifactor and two-factor authentication solutions that are necessary for healthcare system and process identity enforcement - recently written by John D. Halamka MD, a self-described Healthcare CIO.

Strong Identity Management

In this article, Dr. Halamka states that he's had a wide range of experience with many of these token-based and tokenless two-factor authentication methods, including security tokens, smart cards, biometrics, certificates, soft tokens, and cell phone-based approaches.

His summarized findings include:


Security Tokens
- many challenges and prohibitive expenses.
Smart cards - a good consideration, though requires installation of many readers.
Biometrics - great results, but still requires major technology upgrade for existing PC/LAN infrastructure (this is especially challenging in government and healthcare institutions with extremely diverse and aged personal computer and networking systems)
Certificates - "managing certificates for 20,000 users is painful".
Soft tokens - similar challenges for support, maintaining new software across all desktops.

The article focuses in on seemingly the most effective and efficient solution currently available:

Cell phone based approaches - popular, easy to support, and very low cost. Companies such as Anakam Inc. offer tools and technology to implement strong identify management in cell phones via text messaging, voice delivery of a PIN, or voice biometric verification. Per the Anakam website, their products achieve full compliance with NIST Level 3, are scalable to millions of users, cost less than hard tokens or smart codes, are installable in the enterprise without added client hardware/software, and are easy to use (all you have to do is answer a phone call or read a text message).

Probably the clearest two factor authentication choice to make is between token-based identity management solutions and tokenless authentication. Here's some reasons why token-based 2 factor authentication isn't necessarily as effective as tokenless user authentication (such as that provided by Anakam).

User authentication tokens and other similar devices do not effectively protect against emerging threats, such as man-in-the-middle attacks - since they don't utilize "out-of-band" authentication (i.e. a separate channel for the second factor of authentication). User adoption is a very large obstacle to token-based authentication; an extra device to carry that's vulnerable to many forms of damage and theft simply isn't acceptable. Additionally, significant overhead is required by IT department to provision, manage as an asset, and control the token devices, along with training users in proper use and protection.

No comments: