4. 2-Factor Authentication versus Multi-Factor Authentication for HIPAA
What is 2-factor authentication (2FA) vs multi-factor authentication (MFA)?
2-factor authentication is a security measure where users must confirm who they are by providing just two pieces of proof before they can receive access to a device (e.g. computer, phone), application or system.
Multi-factor authentication is a security measure where users must confirm who they are by providing multiple (2 or more) pieces of proof before they can receive access to a device (e.g. computer, phone), application or system. So, it could involve just two factors, or it could entail more. (We will detail what these factors are later.)
Both 2-factor and multi-factor authentication provide at least one additional layer of security (if not multiple layers) to an account to prevent a stranger from logging in, with or without a password.
What Are the Authentication Factors?
Whenever a user is accessing sensitive and/or personal information (e.g. email, corporate payroll files, digital health records, etc.), they need to confirm their identity before they are allowed access. When we say "factors," we are referring to the following potential ways a user can prove who they are:
- Knowledge (what the user knows): the user provides particular information only they know, such as a password/passcode, responses to challenge questions, PIN, TAN, etc.
- Possession (what the user has): the user provides an item (or a series of items) they have, such as a USB stick containing a secret token, a bank credit/debit card, a key, YubiKey, a single-use password, etc.
- Inherence (who the user is): some characteristic that is distinctive to the user, such as a fingerprint, eye/iris/retina scan, voice recognition, typing speed, pattern in key press intervals, etc.
- Location (where the user is): a connection to a particular computing network or employing a GPS signal to detect the user's location.
HIPAA Factor Authentication Requirements
HIPAA rules require covered entities to confirm that users looking for access to electronic protected health information (ePHI) have the necessary authorization. Two-factor authentication addresses this HIPAA requirement, and multi-factor authentication takes it a step further.
MAXtech Can Help You
At MAXtech, we specialize in helping healthcare providers and other covered entities ensure they remain HIPAA compliant. To find out whether or not your business meets this and other HIPAA requirements, contact us to schedule a free HIPAA assessment.