It was the late 1990’s and I was having dinner in Amsterdam with a senior security manager at HSBC bank. I asked him one simple question, “How safe is online banking?” To which he responded simply, “There isn’t a password in the world that can’t be cracked. If you’re not using a security token (aka “two factor authentication”), your money isn’t safe.” Roll forward almost two decades and two-factor authentication is almost pervasive, and not just in banking. Log into Twitter, Microsoft 356, or even your iPhone – chances are you’ve probably used some form of two factor authentication to get into your account.
What’s two factor authentication?
It’s a pretty simple concept that significantly reduces the chance of your account getting hacked. Here’s how it works. To login, you must have something you know (usually a password), as well as one additional factor, usually something you have (like your cellphone or your desktop computer). A secret passcode is sent to that second device. You enter the secret passcode (which is only good for 10 minutes) along with your password to get in. That’s it!
Having said that, I’m pretty sure some of you are thinking, “OMG, I have to do what every time I want to log in?”
Why is two factor authentication necessary at all?
Ok, so before you dismiss the idea of two factor authentication as an avoidable timewaster, consider this. Numerous studies have shown that a significant number of hacks are through the cracking of user passwords. Its far easier than breaking into data centers where companies host your encrypted data behind armed guards and multiple firewalls.
Lets face it, most of us have simple passwords that we re-use practically everywhere, from our home WIFI, to Netflix, and our EHR. So if a hacker ets our password from a less secure site, they can use it to get into more valuable accounts like your EHR. Changing passwords routinely and using long, complex passwords help, but most of us simply don’t do either. Worse at the clinic level, users tend to share login credentials to insurance carrier and regulatory sites. No wonder hackers have an easy time of getting into medical records systems.
My advice is simple: Turn on two-factor authentication whenever you can. That way, even if your password is compromised, it will be difficult for a would be hacker to get your verification passcode during the 10 minutes the code is valid.
Second, when you do set up two factor authentication, make sure you provide a contact address that only you have access to so verification codes don’t get into the wrong hands.
Finally, when you’re waiting for that verification code, take solace in the fact that you’ve just made it significantly more difficult for a hacker to steal your sensitive data. For more on the topic, read “Don’t Kill the Password. Change the Password” from Wired magazine.