New security enhancements: password complexity and multi-factor authentication

There has been an interesting debate between HosPortal healthcare scheduling software and customers recently about the merits of various security enhancements and privacy controls. We are aware that many of our customers want their data stored in Australia. This has been available for an additional fee (due to costs related to some of the aspects of our software architecture) but will soon be the default for all Australian customers. More interestingly has been a discussion about password complexity and multi-factor authentication (MFA) which we will soon have implemented at the request of a customer.

For those interested in password complexity and reflect - as we do - on how silly some of the industry-standard rules are, it is worth reading this article about the zxcvbn algorithm, developed by Dropbox and now implemented in HosPortal. Although the article is quite old, the principles it explores are still valid…all the more reason to be surprised that it is not used more. That algorithm is considered a good measure of real password sophistication to ensure protection against a range of real-world attacks. You can experiment with an implementation of the algorithm here (although we recommend you do not test it by entering your actual real personal passwords).

We have been deliberately slow to implement MFA for some time, but aware that we are increasingly swimming against the river of expectations for cloud-based logins (the flow of that river is increased by articles like this one). Our target users, being doctors, are often not keen on having a two-step login to find something in a hurry. The relatively low sensitivity of information, and the very low volume of data that people can access through their login is pretty low: HosPortal often replaces roster and contact information that would otherwise be kept on public display or stored on shared drives at many hospitals. MFA means that it is not possible to have generic logins that hospitals can issue to the switchboard or nursing stations for read-only access.

We have listened to some strongly-held views from our customers and have now enabled a minimum password complexity, and the optional ability to turn on MFA for your users. We know that many doctors hate both of these changes. But the times are changing and we have at least implemented a system that is useable while at the same time does in fact protect user accounts, rather than just pretend to do so.