As we debate the necessity of various authentication factors, particularly for issues faced with basic passwords, it’s good to take a step back and remember how we got here. There are key three types of authentication when using an application in your veterinary practice.
The 3 Common Types of Authentication\Passwords
1. “Something you know,” This used to be something you memorized, but it turns out that this take on password management is terrible. You ARE using unique passwords for every account, right? … Right? You’re not one of those hospitals that has your passwords written on sticky notes stuck to your monitors, right?
2. “Something you have,” meaning something that can’t be possessed by more than one entity at a time. This could be something that is too difficult to copy or generate independently, that is tied to storage and can’t be removed, or that exists as a unique physical item (such as a hard token or a key).
3. “Something you are,” referring to an attribute that is physically unique to an individual, such as a fingerprint, a palmprint, a retinal pattern, a gait, a typing pattern, or even a heartbeat. We see these types of password methods becoming more and more popular when Apple released Face ID on the iPhone 10. We now see the likes of Microsoft and Google following suite.
Each of these comes with a downside:
“Something you know” = “Something you forgot,” or “Something that someone tricked out of you.”
A password that is guessed or derived … is not a secret any more. Worse yet, it can be silently stolen without anyone noticing. When ever I walk into a new practice I always take notice of how many passwords I can gather without ever asking anyone for it. To many practice managers and owners it’s one of the biggest surprises of our IT security assessment. This method of password management is the easiest the cheapest factor, in the sense that it can be created, changed, expanded, distributed and used without having to buy any extra technology. If you ever forget your password in most cases you have to answer a series of questions that previously filled out when making the account. For example, favorite pet, street you grew up on, favorite food etc. But any of that information is increasingly available on the Internet, or can be tricked out of the user through phishing or social media “quizzes.”
“Something you have” = “Something you lost,” or “Something you broke.”
One of the biggest threats today is SIM theft, in which an attacker manages to steal an assigned mobile phone number so that they can receive texted authentication codes. This is nefarious because once again, it can be stolen silently; the victim still has the physical phone but may not realize that the number has been assigned to someone else until it’s too late. Now when your bank account sends you a unique text message to allow you to enter your account. The hacker is getting that code and can log in. Generally speaking, if a user loses the “something you have,” the fallback is “something you know,” which we’ve just discussed above.
“Something you are” = “Something that aged”
The problem with biometrics is that you can’t change your retinal patterns or fingerprints if the records of them are stolen. Covid has revealed some problems with biometrics. For example: If you’re wearing a mask, FaceID doesn’t work; shared fingerprint readers aren’t sanitary these days. PPE creates for a number of biometric issues for veterinary hospitals. Not only are we wearing masks with COVID19 but gloves, protective glasses etc. I have one rule when it comes to security technology. If its a PIA (pain in the a**) no one is going to use it. But in the case of veterinary practices biometers, while a great security measure, are a total pain to implement leading users to find ways to by pass them. But biometrics are extremely convenient as a factor because you can’t forget them, you can’t leave them behind in the taxi, and chances are good that nobody can steal the originals without you noticing (water glasses in spy movies aside).
Someone is trying to log in at the user’s PC with the real staff member’s username and password.
The real user walked away from their unlocked computer and now an attacker is trying to use it.
Someone is remotely connected to the staff member’s computer and is trying to pretend to be the user sitting at that computer.
Someone is trying to log in with the real staff member’s username and password from a different system (such as a compromised computer in a botnet attack).
The real user is trying to log in, but the computer is compromised and could be used to steal the username and password, or plant malware.
The real user is trying to log in from one location, but someone else is also trying to log in as that user from a different location.
Someone has gained access to the real staff member’s username, password, and second factor (such as a token or phone number for receiving SMS texts), and is trying to log in from a different device.
Someone is listening in on the network stream and trying to hijack the staff member’s session in progress.
When we look at the threats facing veterinary hospitals, we come up with these sorts of attacks and more. We often run through a whole laundry list of possible attacks whenever we’re looking at a new practice. Then we have to pick the proper protections that address as many of the risks as possible.
Protections for Password Risks
A 2FA (Two Form factor Authentication) that is physically separate from a user’s laptop would protect against 1, 2, 3, 4, and 6 listed in the previous section. Assuming that the user has that device with them and doesn’t leave it near the laptop.
A session timeout, requiring reauthentication, is often used to protect against 2, 3, and to some extent 8.
Marking a laptop as trusted, bound specifically to the user, is used to prevent 4, 6, and 7. We see this a lot when staff members access outside resources like banking and pharmacy related needs.
Ensuring that the network connection is encrypted all the way between the staff member and the application protects against 8.
Using a biometric password is intended to protect against 1, 2, 3, 4, 6, and 7, but that’s assuming that the user isn’t under duress (being forced by an attacker to supply it).
Checking the staff members device for any evidence of compromise is meant to protect against 2, 3, and 5.
Using a second factor such as a Ubikey, that requires a physical response from the user to activate, also protects against 3 and 5. It proves that the user is actually present and intends to authenticate.
Creating Additional Controls
For added protection set policy controls, using other factors, as guardrails. Factors such as location (either by GPS or IP address) can help to narrow down the vectors of attack if, for example, you never expect a user to try to authenticate from anyplace other than a certain network or geographic region. We also see a lot of veterinary requesting location controls when they use cloud based practice management systems. Unfortunately, not a lot of cloud based PIMs allow for this protection. Which places your veterinary hospital at a greater risk. But we know that IP addresses aren’t foolproof — all you have to do is gain access to a system on the “right” network. So these can’t be the sole authentication factors to rely on. Think of these more as a narrowing function: you are blocking more attacks right from the outset, leaving fewer to sift through and validate.
As you can see, there are layers upon layers of defense that you can build to try to address the most common risk scenarios facing your veterinary practice. But you also have to take into account the downsides of each factor when installing the solution. If you have an endlessly changing roster of receptionists and vet techs using the same practice management system, you can’t register a biometric or phone app for each of them, make each of them log in and out of accounts if they are rushing to serve a line of customers, or make them all share a hard token. The modern veterinary hospital ends up with a portfolio of factors, deployed where they work the best and where they address the right risks.
Clint Latham J.D.
Lucca Veterinary Data Security