I just think they should be able to opt out. Its up to the patient what their security posture is. If they don’t want it, they shouldnt be forced to have it. Just have them sign away their rights to sue the hospital or something along those lines.
I’m open to hearing an argument why it should be forced to use MFA even if the patient doesnt want it. I know at least one hospitaly company works with that has it optional for patients who want it.
dan@upvote.au 2 months ago
MFA doesn’t really help much in the case of a tech illiterate person though, since TOTP codes can be phished just like username and password can. A scammer that calls them will just ask for the code in addition to the username and password.
My employer uses Yubikeys with FIDO2/WebAuthn for two factor auth, but that’s probably too complex for a non technical person to figure out (even if it’s basically just “press the button when it tells you to”).
yetAnotherUser@discuss.tchncs.de 2 months ago
Well, TOTP prevents at least these attack vectors, even for tech-illiterate people:
With TOTP there must be at least some contact between the “hacker” and the victim.