An interesting situation was discussed recently between my significant other and me, in regard to when user authentication is necessary and when is it prohibitive. This discussion arose after her recently starting work at a private hospital. She had been doing her nursing clinical at a local Veteran Affairs (VA) hospital prior to starting this new job.
She was telling me how she liked her new job and how she liked the way they have it set up for her to log in to do her charting versus at the VA hospital. At the private hospital she works a twelve and a half hour shift, when she began her shift she has a RFID badge that she has to carry with her at all times. This badge is used when she needs to access different areas and departments within the hospital as well as when she logs into any computer terminal.
When starts her day she inserts her badge into a computer terminal to clock in and access any updates she needs to know to start her day. Once she inserts her card, she enters in her username and password to authenticate, at which point she is authenticated to use the systems for thirteen hours. From that point on, she only needs to insert her badge to access charting and other necessary systems to do her job.
This is different than the VA hospital as she also had a badge that allowed her into different areas into the hospital and was also required to access computer terminals. The key difference is that she was required to login with her username and password every time she accessed the system.
To many this would seem like a more secure method to authenticate and would be the better solution for the company; however I am not so sure. This is due to looking beyond just the way the system is designed to work, but how the system is actually used.
One difference is that it requires more time of the staff to spend logging into systems as there is a terminal for every room at the VA hospital. Each room usually only houses one to four patients at a time and nursing staff are usually responsible to interact with over two dozen patients, not including when they are required to help out in another department or area throughout their shift. On general, staff interacts with about thirty to forty patients in a twelve hour shift and access over fifteen different terminals. This leads to a lot of time spent just logging in and out of terminals.
On top of the added time and because users are so dependant on logging in many times a shift, some users have begun writing their credentials down to facilitate faster logins. This is to say that it is a direct violation of company and security policy, but it is happening more frequently none the less. To me this defeats the purpose of requiring the login every time as the badge is still required to login and if they are writing it down (usually on the top of their badge) the only way to login to a system is to duplicate or steal a badge. This is no less secure than logging in once and using the badge as a single login method after the initial login.
Also with having a timeout of thirteen hours at the private hospital, it additionally prevents use of a stolen badge, as they are not allowed to log back into the system for at least twelve hours. Whereas, at the VA hospital, there is no logout period, so if they have a badge with the credentials written on them, they have access to the system. This allows for someone to steal a badge from a user after their shift and use it, whereas the badge at the private hospital would be invalid for twelve hours, meaning the only way to meaningfully use it, would be to steal it from a staff member during their shift, on hospital grounds.
One thing that is often overlooked in security is functionality. It is not only our job to minimize possible risk from our organizations, but it is also our job to ensure that our security measures have the least amount of impact to the users as possible. Again, this was an interesting conversation that I thought I would share, and I hope it gives you something to think about.